tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <...@manico.net>
Subject Re: Cookies are broken in 6.0.16?
Date Sun, 10 Feb 2008 00:53:48 GMT
What about making

//cookies v0
c = new javax.servlet.http.Cookie("abcv0","123==");
response.addCookie(c);

At least throw some kind of malformedCookieData exception instead of 
just "failing gracefully" to accelerate programmers ability to upgrade 
legacy systems?

- Jim

> On Sat, 2008-02-09 at 16:14 -0700, Filip Hanik - Dev Lists wrote:
>   
>> no regression, if you do this
>>
>>     

>>   c = new javax.servlet.http.Cookie("abcv1","123==");
>>   c.setVersion(1);
>>   response.addCookie(c);
>>
>> then it works just fine.
>>
>> however, if you do
>>   c = new javax.servlet.http.Cookie("abcv0","123==");
>>   response.addCookie(c);
>>
>> then it doesn't. if we encode it, (which we did at our first attempt for 
>> v0 cookies) we actually don't pass the TCK.
>> only v1 cookies should be double quoted, in previous versions of tomcat, 
>> I believe everything got double quoted, regardless of version on the cookie.
>>
>> v0 cookies, the spec says
>>
>> /NAME/=/VALUE/
>>     This string is a sequence of characters excluding semi-colon, comma
>>     and white space. If there is a need to place such data in the name
>>     or value, some encoding method such as URL style %XX encoding is
>>     recommended, though no encoding is defined or required.
>>
>> the problem was that encoding wasn't defined nor required. so when we 
>> followed the spec, and added %XX encoding, TCK tests failed.
>>
>> at this point I would say, we handle cookies correctly. if one needs == 
>> at the end of the cookie, then they need to use v1 cookies, according to 
>> spec
>>     
>
> I find the regressions caused by the new behavior problematic, and it
> will cause lots of problems with existing applications, since the
> default cookie version used is version 0.
>
> As I'm the only one complaining at the moment, I think I'll take my
> concerns elsewhere, no problem, I get the idea :) Obviously, when I say
> "encoding", I am not talking about quoting the whole value (or name) as
> was done before.
>
> Rémy
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>   


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message