tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: Cookies are broken in 6.0.16?
Date Mon, 11 Feb 2008 03:01:34 GMT
Bill Barker wrote:
> "Remy Maucherat" <remm@apache.org> wrote in message 
> news:1202687816.3338.16.camel@localhost.localdomain...
>   
>> On Sun, 2008-02-10 at 23:29 +0000, Mark Thomas wrote:
>>     
>>> Filip Hanik - Dev Lists wrote:
>>>       
>>>> Would this be ok, given its a spec class? or do we have to leave this
>>>> class untouched and modify it elsewhere, in which case it'd be more of 
>>>> a
>>>> hack.
>>>>         
>>> I think, as long as we leave the public interface unchanged, changing the
>>> spec class would be fine.
>>>
>>> The spec says that RFC 2109 should be used by default so if
>>> org.apache.catalina.STRICT_SERVLET_COMPLIANCE is true I think v0 cookies
>>> should be used.
>>>       
>> There's also an opportunity to force the version in addCookie. Not as
>> nice, but this may cause less problems.
>>
>>     
>
> +1 to put in addCookie or in ServerCookie.  Other projects use Tomcat's 
> version of the servlet-api.jar, and I don't like the idea of publishing one 
> that isn't strictly spec compliant.  Of course, as Remy pointed out, this 
> has the effect of forcing v1 cookies as a downside.
>
> Probably better than forcing the version is to revert to 'always quote' in 
> ServerCookie unless the STRICT_SERVLET_COMPIANCE flag is true.  We did the 
> 'always quote' in the first place because it is more browser friendly (at 
> least for 21st century browsers).
>   
this comes with all the other side effects of strict servlet compliance.
I'm open to either option, ie forcing cookies, or always quoting, but 
would prefer a separate flag

Filip

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message