tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mladen Turk <mt...@apache.org>
Subject Re: [PATCH] Cookie, Cookie2 Header fix for mod_jk
Date Wed, 07 Dec 2005 18:08:49 GMT
Andre Gebers wrote:
> Hi,
> 
> newer versions of opera send the Cookie2-header along with the 
> Cookie-header which looks somewhat like this:
> 

Right, but the patch would not work.
It would be a security hole, because the http rfc
diferentiates cookie from cookie2.

Right now the Cookie2 header is passed as unknown header,
so it should work anyhow if the remote accepts the Cookie2.
IIRC it is not part of Servlet-spec, so it would not show
in javax.servlet.Cookie.

We would need to extend the AJP1.3 protocol to support
missing HTTP/1.1 features (the Cookie2 is not the only one).

I'm in a process of proposing those additions, but it will
probably be inside jk3 (jk1.3).

Thanks,
Mladen.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message