tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Cookie value with equal sign getting truncated
Date Mon, 07 Sep 2009 13:16:54 GMT
Joerg Schaefer wrote:
> It seems, that Tomcat doesn't allow a "= " sign in the cookie value.

It is the cookie specs that doesn't allow unquoted '=' and Tomcat got
stricter about enforcing the specs as a result of a couple of security
vulnerabilities.

> If there is a "=" it put the value into "" -signs.

Yep - as per the spec. Values that contain '=' have to be v1 cookies and
have to be quoted.

> This problem occurs with Tomcat 6.0.18.

The cookie changes started in 6.0.14 and caused various regressions. The
6.0.18+ behaviour (ie the auto switching to v1 cookies) was added to
help those apps that used '=' in the value and couldn't easily fix this
themselves.

> Are there a workarounds available to disable this behavior?

Your options are:

1) Have v0 cookies with '=' treated as invalid (use
STRICT_SERVLET_COMPILANCE)
2) Have Tomcat automatically switch the cookie to v1 and add the quotes
(the default)
3) Don't use '=' in cookie values (ie change your app)

Mark




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message