tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sven Köhler <>
Subject Re: Cookies are broken in 6.0.16?
Date Tue, 12 Feb 2008 11:03:45 GMT
>> Actually, the spec doesn't disagree with chosing any of the = ...
>> But some users have supplied some reasonable arguments (base64 is
>> padding with =, etc.) to rather chose the first = over the other ones.
> in that case, the user should use v1 cookies :)

Yes, right, you're 100% right - but this thread is not about v1 cookies. 
It's about v0 cookies.

In the case of v0 cookies, we hit the "damn, the spec is messed up - 
what should we do?"-case. And in this case, well - what do we do?

What would REALLY be best, is to throw exception upon setting a name or 
a value containg the = sign, or spaces, or any illegal characters of 
that kind.
Soon, after some future versions of Tomcat, the mailinglist may actually 
experience, that people start using names containg the = character, 
because chosing the last = character in the cookie for splitting permits 
them to do so.

Well, simply make things REALLY safe (throwing exception and the like - 
well, does the servlet spec allow to do so? oh my god - i can see it 
coming: it doesn't.) Or rather try to immitate the old behaviour as good 
as you can without violating the spec, or the TCK test, etc.
And it seems to be the case, that people don't use names containg the = 
character but rather use values that do which was possible with the old 
behaviour - and indeed seems to me to be the use-case used much more 
often then the "name contains =" use-case.

So if satisfying users really matters to you, you developers really have 
the choice, since the spec gives you that freedom, you really should ...

View raw message