tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Cookie issues
Date Thu, 12 Nov 2009 20:22:02 GMT
Remy Maucherat wrote:
> On Wed, 2009-11-11 at 16:45 -0500, Mark Thomas wrote:
>> I really do loath cookies right now. I've pulled the proposed patches for 5.5.x
>> and 6.0.x until I (or someone else) can take a look at this.
> I do too. v0 cookies is 15 years old stuff that Netscape hacked out of
> thin air without thinking at all, and seemingly nobody wants to upgrade
> since then :(
> The examples in the v1 spec (even the first one) are nice (everything is
> always quoted, it's easy and it avoids problems ...), but the problems
> occur if you try to enforce it (because the security folks ask for it)
> and have to keep v0 support at the same time.

Getting back to your original concerns, what were these based on?

You mentioned session cookies breaking because / gets treated as a separator. /
only gets treated as a separator if you set
org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true (the default is false) or you
set org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=true (again
the default is false)

My intention with this set of cookie patches was to:
- keep the current behaviour by default
- make STRICT_SERVLET_COMPLIANCE stricter (knowing this option on it's own may
break many browsers)
- provide additional options that let you disable those aspects of
STRICT_SERVLET_COMPLIANCE that cause compatibility issues
- add additional options (like allowing = in cookie values) that allow even less
compliant usage

The only place where the current behaviour should change is that single quote is
no longer treated as a separator. I don't see that creating any issues.

I have spotted a few issues in the patch where current behaviour does change.
I'll get those fixed and re-propose the patches.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message