tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 51138] Cookies with colons in the cookie value are read incorrectly
Date Mon, 02 May 2011 16:10:51 GMT

--- Comment #6 from Mark Thomas <> 2011-05-02 16:10:51 UTC ---
That is a fair point. A similar argument can be made around the use of ":" etc.
in date headers although those are single value headers so parsing them is
simpler and separators won't cause complications like they can in cookie

rfc6265 is still a draft, but then again so is rfc2616. What really matters
with these specifications - and particularly the cookie specs given the minimal
adoption of rfc2965 and the selective implementation of rfc2109 - is adoption.

The Servlet 3 spec doesn't even mention rfc2965 (not necessarily a bad thing).
If you want the Servlet spec to support rfc6265 then you'll need to lobby the
Servlet Expert Group.

I wouldn't be against supporting rfc6265 but there are several issues of
- I would want to look hard at the various security issues that lead to Tomcat
tightening up compliance with the cookie specifications to assure myself that
implementing rfc6265 was secure
- browser (specifically IE) interoperability with rfc6265
- backwards compatibility with applications that expect rfc2109 compliant
cookie headers

Regardless of all of the above, the Tomcat 7 implementation based on rfc2109 as
per the Servlet 3.0 specification is not going to change.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message