tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joerg Schaefer <J.Schae...@usu.de>
Subject Re: Cookie value with equal sign getting truncated
Date Mon, 07 Sep 2009 13:26:16 GMT
Hi Mark,
thanks for the quick reply.
How can i realize option 1?
How can i configure STRICT_SERVLET_COMPILANCE?

thanks,
Joerg




Mark Thomas <markt@apache.org> 
07.09.2009 15:17
Please respond to
"Tomcat Users List" <users@tomcat.apache.org>


To
Tomcat Users List <users@tomcat.apache.org>
cc

Subject
Re: Cookie value with equal sign getting truncated






Joerg Schaefer wrote:
> It seems, that Tomcat doesn't allow a "= " sign in the cookie value.

It is the cookie specs that doesn't allow unquoted '=' and Tomcat got
stricter about enforcing the specs as a result of a couple of security
vulnerabilities.

> If there is a "=" it put the value into "" -signs.

Yep - as per the spec. Values that contain '=' have to be v1 cookies and
have to be quoted.

> This problem occurs with Tomcat 6.0.18.

The cookie changes started in 6.0.14 and caused various regressions. The
6.0.18+ behaviour (ie the auto switching to v1 cookies) was added to
help those apps that used '=' in the value and couldn't easily fix this
themselves.

> Are there a workarounds available to disable this behavior?

Your options are:

1) Have v0 cookies with '=' treated as invalid (use
STRICT_SERVLET_COMPILANCE)
2) Have Tomcat automatically switch the cookie to v1 and add the quotes
(the default)
3) Don't use '=' in cookie values (ie change your app)

Mark




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




*** DEPARTMENT DISCLAIMER ***
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message