tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: Cookies are broken in 6.0.16?
Date Wed, 13 Feb 2008 12:37:47 GMT
what do you guys think of this one
http://people.apache.org/~fhanik/patches/cookie-default-v1.patch

basically what it does, instead of forcing all cookies to v1, it does this

   if the cookie is v0
      and
   the switchToV1 flag is true (let me know what the default value 
should be)
      and
   the cookie contains invalid characters
      then ->
   quote the cookie and set the version to 1

Filip

Bill Barker wrote:
> "Remy Maucherat" <remm@apache.org> wrote in message 
> news:1202687816.3338.16.camel@localhost.localdomain...
>   
>> On Sun, 2008-02-10 at 23:29 +0000, Mark Thomas wrote:
>>     
>>> Filip Hanik - Dev Lists wrote:
>>>       
>>>> Would this be ok, given its a spec class? or do we have to leave this
>>>> class untouched and modify it elsewhere, in which case it'd be more of 
>>>> a
>>>> hack.
>>>>         
>>> I think, as long as we leave the public interface unchanged, changing the
>>> spec class would be fine.
>>>
>>> The spec says that RFC 2109 should be used by default so if
>>> org.apache.catalina.STRICT_SERVLET_COMPLIANCE is true I think v0 cookies
>>> should be used.
>>>       
>> There's also an opportunity to force the version in addCookie. Not as
>> nice, but this may cause less problems.
>>
>>     
>
> +1 to put in addCookie or in ServerCookie.  Other projects use Tomcat's 
> version of the servlet-api.jar, and I don't like the idea of publishing one 
> that isn't strictly spec compliant.  Of course, as Remy pointed out, this 
> has the effect of forcing v1 cookies as a downside.
>
> Probably better than forcing the version is to revert to 'always quote' in 
> ServerCookie unless the STRICT_SERVLET_COMPIANCE flag is true.  We did the 
> 'always quote' in the first place because it is more browser friendly (at 
> least for 21st century browsers).
>
>   
>> Rémy 
>>     
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message