tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51138] Cookies with colons in the cookie value are read incorrectly
Date Mon, 02 May 2011 16:10:51 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51138

--- Comment #6 from Mark Thomas <markt@apache.org> 2011-05-02 16:10:51 UTC ---
That is a fair point. A similar argument can be made around the use of ":" etc.
in date headers although those are single value headers so parsing them is
simpler and separators won't cause complications like they can in cookie
headers.

rfc6265 is still a draft, but then again so is rfc2616. What really matters
with these specifications - and particularly the cookie specs given the minimal
adoption of rfc2965 and the selective implementation of rfc2109 - is adoption.

The Servlet 3 spec doesn't even mention rfc2965 (not necessarily a bad thing).
If you want the Servlet spec to support rfc6265 then you'll need to lobby the
Servlet Expert Group.

I wouldn't be against supporting rfc6265 but there are several issues of
concern:
- I would want to look hard at the various security issues that lead to Tomcat
tightening up compliance with the cookie specifications to assure myself that
implementing rfc6265 was secure
- browser (specifically IE) interoperability with rfc6265
- backwards compatibility with applications that expect rfc2109 compliant
cookie headers

Regardless of all of the above, the Tomcat 7 implementation based on rfc2109 as
per the Servlet 3.0 specification is not going to change.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message