tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51138] Cookies with colons in the cookie value are read incorrectly
Date Mon, 02 May 2011 21:32:56 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51138

--- Comment #7 from Jelmer Kuperus <jelmer@jteam.nl> 2011-05-02 21:32:56 UTC ---
Mark, maybe you should read up on the spec, It was actually written to bring
the standard in-line with actual practices. So in that sense it has 100%
adoption.

As far as I can tell the servlet spec does not specify how to interpret cookies
sent by the client. it only specifies in which format the cookies can be sent
to the client. And in fact it is not based on rfc2109, it recommends using the
netscape spec because "RFC 2109 is still somewhat new, consider version 1 as
experimental; do not use it yet on production sites." 

So I dont see how resolving this bug would break compatibility with the servlet
spec. 

So yes it breaks compatibility with rfc2616, but since you are already not
compatible with it for good reasons.  I do not see  why this is a big deal. 

Disallowing = in the Authentication header would break basic authentication in
most if not all browsers

Disallowing colons, pipes etc  in cookie values breaks cookie handeling for
lots of  cookies in most of not all browsers

To me its the exact same thing

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message