tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Cookies are broken in 6.0.16?
Date Mon, 11 Feb 2008 01:06:05 GMT

"Remy Maucherat" <> wrote in message 
> On Sun, 2008-02-10 at 23:29 +0000, Mark Thomas wrote:
>> Filip Hanik - Dev Lists wrote:
>> > Would this be ok, given its a spec class? or do we have to leave this
>> > class untouched and modify it elsewhere, in which case it'd be more of 
>> > a
>> > hack.
>> I think, as long as we leave the public interface unchanged, changing the
>> spec class would be fine.
>> The spec says that RFC 2109 should be used by default so if
>> org.apache.catalina.STRICT_SERVLET_COMPLIANCE is true I think v0 cookies
>> should be used.
> There's also an opportunity to force the version in addCookie. Not as
> nice, but this may cause less problems.

+1 to put in addCookie or in ServerCookie.  Other projects use Tomcat's 
version of the servlet-api.jar, and I don't like the idea of publishing one 
that isn't strictly spec compliant.  Of course, as Remy pointed out, this 
has the effect of forcing v1 cookies as a downside.

Probably better than forcing the version is to revert to 'always quote' in 
ServerCookie unless the STRICT_SERVLET_COMPIANCE flag is true.  We did the 
'always quote' in the first place because it is more browser friendly (at 
least for 21st century browsers).

> Rémy 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message