Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 44998 invoked from network); 12 Nov 2009 20:22:42 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 12 Nov 2009 20:22:42 -0000 Received: (qmail 26149 invoked by uid 500); 12 Nov 2009 20:22:41 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 26088 invoked by uid 500); 12 Nov 2009 20:22:40 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 26077 invoked by uid 99); 12 Nov 2009 20:22:40 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Nov 2009 20:22:40 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [81.103.221.49] (HELO mtaout03-winn.ispmail.ntl.com) (81.103.221.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Nov 2009 20:22:30 +0000 Received: from know-smtpout-2.server.virginmedia.net ([62.254.123.2]) by mtaout03-winn.ispmail.ntl.com (InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP id <20091112202205.HJVS17277.mtaout03-winn.ispmail.ntl.com@know-smtpout-2.server.virginmedia.net> for ; Thu, 12 Nov 2009 20:22:05 +0000 Received: from [66.78.217.139] (helo=s2laptop-7.local) by know-smtpout-2.server.virginmedia.net with esmtpa (Exim 4.63) (envelope-from ) id 1N8gBB-0004J0-4q for dev@tomcat.apache.org; Thu, 12 Nov 2009 20:22:05 +0000 Message-ID: <4AFC6E6A.5060908@apache.org> Date: Thu, 12 Nov 2009 15:22:02 -0500 From: Mark Thomas User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: Cookie issues References: <1257963460.2464.88.camel@work.remm.hd.free.fr> <4AFB3079.8070400@apache.org> <1257976908.2464.113.camel@work.remm.hd.free.fr> In-Reply-To: <1257976908.2464.113.camel@work.remm.hd.free.fr> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Cloudmark-Analysis: v=1.0 c=1 a=eAjyDC4lFIUDYSXT0rsA:9 a=beYG1aM0V6uPZRemQLvvzxSfne0A:4 X-Virus-Checked: Checked by ClamAV on apache.org Remy Maucherat wrote: > On Wed, 2009-11-11 at 16:45 -0500, Mark Thomas wrote: >> I really do loath cookies right now. I've pulled the proposed patches for 5.5.x >> and 6.0.x until I (or someone else) can take a look at this. > > I do too. v0 cookies is 15 years old stuff that Netscape hacked out of > thin air without thinking at all, and seemingly nobody wants to upgrade > since then :( > > The examples in the v1 spec (even the first one) are nice (everything is > always quoted, it's easy and it avoids problems ...), but the problems > occur if you try to enforce it (because the security folks ask for it) > and have to keep v0 support at the same time. Getting back to your original concerns, what were these based on? You mentioned session cookies breaking because / gets treated as a separator. / only gets treated as a separator if you set org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true (the default is false) or you set org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=true (again the default is false) My intention with this set of cookie patches was to: - keep the current behaviour by default - make STRICT_SERVLET_COMPLIANCE stricter (knowing this option on it's own may break many browsers) - provide additional options that let you disable those aspects of STRICT_SERVLET_COMPLIANCE that cause compatibility issues - add additional options (like allowing = in cookie values) that allow even less compliant usage The only place where the current behaviour should change is that single quote is no longer treated as a separator. I don't see that creating any issues. I have spotted a few issues in the patch where current behaviour does change. I'll get those fixed and re-propose the patches. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org