tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <>
Subject Re: Cookies are broken in 6.0.16?
Date Mon, 11 Feb 2008 03:01:34 GMT
Bill Barker wrote:
> "Remy Maucherat" <> wrote in message 
> news:1202687816.3338.16.camel@localhost.localdomain...
>> On Sun, 2008-02-10 at 23:29 +0000, Mark Thomas wrote:
>>> Filip Hanik - Dev Lists wrote:
>>>> Would this be ok, given its a spec class? or do we have to leave this
>>>> class untouched and modify it elsewhere, in which case it'd be more of 
>>>> a
>>>> hack.
>>> I think, as long as we leave the public interface unchanged, changing the
>>> spec class would be fine.
>>> The spec says that RFC 2109 should be used by default so if
>>> org.apache.catalina.STRICT_SERVLET_COMPLIANCE is true I think v0 cookies
>>> should be used.
>> There's also an opportunity to force the version in addCookie. Not as
>> nice, but this may cause less problems.
> +1 to put in addCookie or in ServerCookie.  Other projects use Tomcat's 
> version of the servlet-api.jar, and I don't like the idea of publishing one 
> that isn't strictly spec compliant.  Of course, as Remy pointed out, this 
> has the effect of forcing v1 cookies as a downside.
> Probably better than forcing the version is to revert to 'always quote' in 
> ServerCookie unless the STRICT_SERVLET_COMPIANCE flag is true.  We did the 
> 'always quote' in the first place because it is more browser friendly (at 
> least for 21st century browsers).
this comes with all the other side effects of strict servlet compliance.
I'm open to either option, ie forcing cookies, or always quoting, but 
would prefer a separate flag


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message