tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Tomcat Wiki] Update of "Cookies" by markt
Date Wed, 08 Jan 2014 20:35:25 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "Cookies" page has been changed by markt:

Review proposed generation changes and make a couple of alternative suggestions

  === Changes to generation of Set-Cookie header ===
   G1 Use RFC6265 format header for V0 cookies::
   :: When version == 0 always generate a RFC6265 header, raising an exception from addCookie
if the value is invalid rather than attempting to upgrade to a RFC2109 header to use quoting.
Application impact is that they will now fail fast with an error rather than inconsistent
data as described in Bug 55920; applications that do not set invalid values will not be impacted.
+  :: '''Alternative G1a:''' Generate an RFC6265 header if possible but provide an option
(disabled by default) to allow switching to an RFC2109 header if a valid RFC6265 header is
not possible.
   G2 Use RFC2109 format header only for V1 cookies::
   :: When version == 1 always generate a RFC2109 header, raising an exception from addCookie
if the value is invalid. This preserves existing behaviour for applications that use V1 cookies.
   G3 Stop adding quotes or escaping to values::
   :: The value supplied by the application will be validated to the relevant specification
and will result in a IAE if it does not conform. The value will never be modified to add quotations
or escape characters, Application impact is that an attempt to set an invalid value will result
in an early error rather than inconsistent data.
+  :: '''Alternative G3a:''' Quotes and/or escaping only to be added to RFC2109 headers. API
to remain symmetric and quoting/escaping to remain transparent to applicatons.
   G4 Use UTF-8 encoding for values::
   :: The value (which is a UCS-16 Java String) will be encoded using UTF-8 when being added
to the header. Application impact is that non-ASCII characters will no longer cause an IAE.
For V0 cookies, this is an extension to RFC6265 required to support HTML-5. V1 cookies already
allow 8-bit characters if quoted and this is likely to be needed to avoid an IAE as the value
would still be validated; it would be the application's responsibility to quote the value.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message