tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Cookie issues
Date Thu, 12 Nov 2009 21:03:20 GMT
Mark Thomas wrote:
> Remy Maucherat wrote:
>> On Wed, 2009-11-11 at 16:45 -0500, Mark Thomas wrote:
>>> I really do loath cookies right now. I've pulled the proposed patches for 5.5.x
>>> and 6.0.x until I (or someone else) can take a look at this.
>> I do too. v0 cookies is 15 years old stuff that Netscape hacked out of
>> thin air without thinking at all, and seemingly nobody wants to upgrade
>> since then :(
>> The examples in the v1 spec (even the first one) are nice (everything is
>> always quoted, it's easy and it avoids problems ...), but the problems
>> occur if you try to enforce it (because the security folks ask for it)
>> and have to keep v0 support at the same time.
> Getting back to your original concerns, what were these based on?

I've done some more digging and I think I have found what was causing this. I'll
have a fix for trunk shortly and (after some testing) I'll re-propose.


> You mentioned session cookies breaking because / gets treated as a separator. /
> only gets treated as a separator if you set
> org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true (the default is false) or you
> set org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=true (again
> the default is false)
> My intention with this set of cookie patches was to:
> - keep the current behaviour by default
> - make STRICT_SERVLET_COMPLIANCE stricter (knowing this option on it's own may
> break many browsers)
> - provide additional options that let you disable those aspects of
> STRICT_SERVLET_COMPLIANCE that cause compatibility issues
> - add additional options (like allowing = in cookie values) that allow even less
> compliant usage
> The only place where the current behaviour should change is that single quote is
> no longer treated as a separator. I don't see that creating any issues.
> I have spotted a few issues in the patch where current behaviour does change.
> I'll get those fixed and re-propose the patches.
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message