tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Cookies are broken in 6.0.16?
Date Mon, 11 Feb 2008 07:44:13 GMT

On Feb 10, 2008, at 2:42 PM, Filip Hanik - Dev Lists wrote:

> Remy Maucherat wrote:
>> On Sun, 2008-02-10 at 11:17 -0700, Filip Hanik - Dev Lists wrote:
>>
>>> Remy Maucherat wrote:
>>>
>>>> On Sun, 2008-02-10 at 11:44 -0500, Jim Manico wrote:
>>>>
>>>>> Filip - you are 100% correct on this thread. Are you basically  
>>>>> the traffic cop guarding the core of Tomcat?
>>>>>
>>>> I understand, you are not impacted by the behavior change, and as a
>>>> result this allows you to be "fair", I suppose. The issue is  
>>>> that the
>>>> behavior of Tomcat has been different, in all prior releases, and
>>>> changing it of all a sudden without any configuration capability  
>>>> because
>>>> it feels nice to play "spec lawyer" is wrong to me. Similar  
>>>> decisions
>>>> have been made in the past, and this did cause problems, it's  
>>>> simply
>>>> faster to add the appropriate options right away.
>>>>
>>> what about my suggestion, to add a flag to default to v1 cookies.  
>>> they get quoted and old behavior will continue to work.
>>>
>>
>> This is the sort of configuration option which seems appropriate.
>>
> essentially, browsers treated our previous v0 cookies as v1 when we  
> quoted them.
> question, obviously it would be easiest for us to put the global  
> flag in the javax.servlet.http.Cookie class directly
> -private int version = 0;    // ;Version=1 ... means RFC 2109++ style
> +private int version = Integer.parseInt(System.getProperty 
> ("org.apache.catalina.cookie.version","1")); // ;Version=1 ...  
> means RFC 2109++ style
>
> Would this be ok, given its a spec class? or do we have to leave  
> this class untouched and modify it elsewhere, in which case it'd be  
> more of a hack.

I would hope that you would put this behavior in a non javax class  
since it's possible that tomcat may be used with other peoples  
servlet spec jars.  I think consistent behavior independent of which  
spec jar you happen to pick would be desirable.

thanks
david jencks

>
> Filip
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message