tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <>
Subject Re: Cookie issues
Date Wed, 11 Nov 2009 21:59:42 GMT
On 11/11/2009 02:45 PM, Mark Thomas wrote:
> Remy Maucherat wrote:
>> Hi,
>> I think cookies are still broken, and this is getting more and more
>> complex. The apparent issue is that the parser applies v1 parsing rules
>> when parsing v0 cookies (which are generated using a much more lenient
>> character exclusion), resulting in cookies that cannot be parsed back.
>> A simple example is a regular cookie session (!), where the path cannot
>> even be parsed back ('/' is now in the "specials" list).
>> Maybe we could parse as v0, and validate the bytes if the cookie turned
>> out to be v1 ?
> I really do loath cookies right now.
I don't blame you.
> I've pulled the proposed patches for 5.5.x
> and 6.0.x until I (or someone else) can take a look at this.
Cookies, while the spec on v1 is somewhat clear, is a nasty can of 
worms. Mostly cause user agents over the years have taken all kinds of 
liberties. When J-F-C and myself refactored some of it a while ago, we 
went through that whole exercise. It's not something you patch up and 
throw out there. Even as careful we thought we were, we broke a 
shitload, and then slowly added in some leniency towards the most common 
user agent errors.

So I think your idea of waiting a bit is wise.

> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message