tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Tomcat Wiki] Update of "Cookies" by jboynes
Date Fri, 03 Jan 2014 19:43:22 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "Cookies" page has been changed by jboynes:

  The domain value is converted to lower case (per Locale.ENGLISH) when set as "IE allegedly
needs this."
- ==== HttpServletRequest ====
+ ==== HttpServletResponse ====
- TODO: document this
+ This is typically implemented by o.a.c.connector.Response whose addCookie method delegates
generation of the Set-Cookie header to o.a.t.util.http.ServerCookie#appendCookieValue. This
first appends the name (relying on checks performed by Cookie), "=" and then the value using
RFC2109 quoting rules:
+  * if the value is null or empty, append empty quoted-string ""
+  * if the value starts and ends with '"', output as is after escaping any '"' characters
between the outer quotes
+  * if ALLOW_HTTP_SEPARATORS_IN_V0 is false and the value contains a RFC2616 separator, output
as a quoted-string after escaping '"' and force Version=1
+  * if ALLOW_HTTP_SEPARATORS_IN_V0 is true and the value contains a Netscape separator, output
as a quoted-string after escaping '"' and force Version=1
+  * otherwise, output as is
+ Netscape separators are {',', ';', ' ', '\t'}
+ RFC2616 separators by default do not include "/" unless FWD_SLASH_IS_SEPARATOR is set (or
+ Characters outside the set { HT, 0x20..0x7E } will result in a !IllegalArgumentException
when the check for token characters is performed.
+ The same quoting rules are applied when outputting any Domain or Path value.
+ If maxAge >=, then the Max-Age attribute will be set for V1 cookies and the Expires attribute
for V0 cookies. If the property ALWAYS_ADD_EXPIRES is true then Expires will also be set for
V1 cookies.
+  Issues::
+  :: relies on the browser supporting RFC2109 quoting rules when Version=1 (most apply Netscape
+  :: Domain is not strictly checked
+  :: Path is quoted using the same rules as Value; browsers treat them differently (e.g.
IE treats quoted paths as invalid)
  === Proposed Implementation ===

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message