tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Cookie interoperability
Date Fri, 20 Feb 2009 12:19:14 GMT
Dillon Sellars wrote:
> read non-standard cookies set by 3rd parties. In my case, the cookie value
> in not enclosed in double quotes has a couple of spaces in it, so tomcat
> 6.0.16 and above read the cookie value to the first space. There are a
> couple other comments in bugs about problems with cookie names with colons
> and the common base64 encoded string with the trailing =.
> There was some talk about adding configuration options to Tomcat to handle
> specific cases. I was thinking about allowing lenient cookie parsing at the
> context level or globally by defining the separator characters as ',' and
> ';' when parsing cookie values (this appears to be the Tomcat
> 6.0.14 behavior). As mentioned in the 44679 bug the there were security
> concerns with pre-6.0.16 cookie parsing - will the security concerns /
> browser issues return with this approach? If so, does it makes sense to
> perform lenient cookie parsing for specific cookie names to limit the
> security risk? This would not really help people with cookie name problems
> and would likely impact cookie parsing performance. I don't see a
> particularly elegant solution emerging. Thoughts?

1. Lobby the vendors of the third party services to provide spec
compliant cookies. In your case, including spaces in the value is a
clear violation of the spec so you should have a strong case.

2. I would prefer not to change the cookie parsing code. I suspect the
type of changes you are suggestion would be quite invasive as the
various static constants would no longer be constant.

3. For broken cookies that Tomcat won't parse, you can always parse the
cookie header yourself. I'd look at what you could do in a filter to
read the header and then fix it. If I get a chance I'll take a look at
writing an example to do this.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message