tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dillon Sellars <>
Subject Cookie interoperability
Date Fri, 20 Feb 2009 03:35:08 GMT
I know this one has been beaten to death a little (, but I (and looks
like some others) are stuck on older versions of Tomcat (6.0.14) in order to
read non-standard cookies set by 3rd parties. In my case, the cookie value
in not enclosed in double quotes has a couple of spaces in it, so tomcat
6.0.16 and above read the cookie value to the first space. There are a
couple other comments in bugs about problems with cookie names with colons
and the common base64 encoded string with the trailing =.
There was some talk about adding configuration options to Tomcat to handle
specific cases. I was thinking about allowing lenient cookie parsing at the
context level or globally by defining the separator characters as ',' and
';' when parsing cookie values (this appears to be the Tomcat
6.0.14 behavior). As mentioned in the 44679 bug the there were security
concerns with pre-6.0.16 cookie parsing - will the security concerns /
browser issues return with this approach? If so, does it makes sense to
perform lenient cookie parsing for specific cookie names to limit the
security risk? This would not really help people with cookie name problems
and would likely impact cookie parsing performance. I don't see a
particularly elegant solution emerging. Thoughts?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message