tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Tomcat Wiki] Update of "Cookies" by jboynes
Date Fri, 17 Jan 2014 16:57:41 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "Cookies" page has been changed by jboynes:

Add proposals for unnamed cookies and more relaxed validation of cookie names

   C1 Stricter default validation of name::
   :: Change the default value of STRICT_NAMING to be true even if STRICT_SERVLET_COMPLIANCE
is false. Application impact is that applications that wish to set cookies with names that
are valid per Netscape's rules but that are not valid "tokens" per RFC2109 or RFC6265 will
need to explicitly set this system property. The intent of the change is to notify application
developers that they are using a cookie name that is likely to have interoperability issues.
   :: '''Alternative C1a:''' remove option for Netscape naming entirely. Applications that
need to set names that do not comply with RFC2109 and RFC6265 would need to sub-class Cookie
themselves. If this is common, then we could provide a default implementation of that behaviour
(e.g. o.a.t.!NetscapeCookie).
+  :: '''Alternative C1b:''' Make STRICT_NAMING a enum specifying which standard's rules to
enforce: values are "netscape" "rfc2109" or "rfc6265" with the default being "rfc6265." Maintain
compatibilty by allowing "true" as an alias for "rfc2109" and "false" as an alias for "netscape"
with the option defaulting to "rfc6265" or to "rfc2109" if STRICT_SERVLET_COMPLIANCE is true.
"rfc2109" and "rfc6265" are both based on "token" rules, except "rfc2109" disallows values
starting with '$' character.
   C2 Always allow "/" in Netscape cookie names::
   :: Discontinue use of FWD_SLASH_IS_SEPARATOR to configure whether a "/" character can appear
in a name when STRICT_NAMING is false and instead always allow it. No negative application
impact and matches the behaviour of the RI. This property was introduced to prevent quoting
of tokens used in Path values as that is not supported by IE but that behaviour is not needed
for names.
   C3 Always disallow "=" in Netscape cookie names::
   :: Now throw !IllegalArgumentException if a "=" character is present. Application impact
is that an attempt to use "=" will now trigger an IAE before the cookie is sent rather than
having the browser set a cookie with an inconsistent name and value. When parsing the received
Set-Cookie header, browsers treat all characters up to the first "=" character as the name
and the remainder as the value. Having a "=" character in the name will result in an incorrect
+  C4 Always allow attribute names (e.g. "Expires") as cookie names::
+  :: Stop throwing IAE if an attribute name is used as the cookie name. No application impact
as more values are allowed. No confusion with cookie protocols as they are unambiguous in
Set-Cookie and are never used as part of a Cookie header (attributes in the RFC2109 Cookie
header begin with '$').
+  C5 Allow unnamed cookies in C1b "netscape" mode::
+  :: Allow cookies whose name is null or the empty string. Browsers will store a single cookie
that has no name whose value is sent as simply «value» (i.e. without any '=' delimiter).
This would now be supported if STRICT_NAMING is set to "netscape" but would remain disallowed
in "rfc2109" or "rfc6265" modes. If allowed, the Set-Cookie header would contain just the
value (no '=' present and an IAE if value contained an '=') and any such cookie found during
parsing would be included in the result of HttpServletRequest#getCookies().
  === Changes to generation of Set-Cookie header ===
   G1 Use RFC6265 format header for V0 cookies::

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message