tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Control character in cookie value
Date Sat, 05 Dec 2009 16:20:19 GMT
Mark Thomas wrote:
> itay sahar wrote:
>> Caused by: java.lang.IllegalArgumentException: Control character in cookie
>> value, consider BASE64 encoding your value
>>         at
>> org.apache.tomcat.util.http.ServerCookie.maybeQuote2(ServerCookie.java:396)
> 
> To cause this, there must be a character in the value with an ASCII code
>  of less than 0x20 or greater or equal to 0x7f and is not 0x09.
> 
> You need to fix that first.
> 
> Then you'll need to worry about Base64 using '=' in cookie values. The
> value needs to be quoted for this to work. Tomcat will do this
> automatically if necessary.
> 

Mark above is talking about the output value of the Base64 encoder which 
you are using, and which you then feed to the response.addCookie(cookie) 
method.

It is not clear (to me) where the used Base64.encodeBytes() method comes 
from.  But wherever it comes from, it should encode any input series of 
bytes according to
http://tools.ietf.org/html/rfc3548#section-3
which cannot produce "control characters".
Except that some Base64 encoders, in some cases, will "wrap" the output 
string at 76 bytes, by inserting a CR/LF pair, which are both "control 
characters".  (Note that the output string of Base64 is longer than the 
input string, since it encodes 3 consecutive input bytes into 4 output 
bytes.)
My guess is that this is what happens here, and that could trigger the 
exception above.
Maybe this Base64.encodeBytes() method has an optional argument which 
would tell it to not wrap the output value ?

Note also that with the code you were showing, the control character(s) 
could presumably be also in "cookiePath".

Why do you not log the cookie value, just before you call 
setCookieValueIfEnabled(String value) ?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message