tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <>
Subject Re: Cookies are broken in 6.0.16?
Date Sun, 10 Feb 2008 10:25:23 GMT
Filip Hanik - Dev Lists wrote:
> Jim Manico wrote:
>> > I guess we could throw a run time exception if the value contained 
>> any of those. other than that, I'm not sure how to behave
>> I think this is the best case scenario for v0 cookies. Perhaps, if you 
>> really want to get fancy, you can add a flag to let legacy solutions 
>> roll back to the old/non-standard cookie handling methodology?
> no, we wont do that. we fixed the cookie behavior in this release due to 
> security issues filed against the old parsing.

The security issue only exists because of a fundamentally broken servlet 
in the examples, and assumes the user will click on a URL. That's not 
what I call a security problem.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message