tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: HtttServletRequest.getSession()
Date Thu, 16 Sep 2010 13:25:56 GMT
On 16/09/2010 13:49, Brian McBride wrote:
> Is there a way to persuade Tomcat to use Set-Cookie2 headers?

Not though the Servlet API. The servlet spec references v0 and v1
cookies but not the v2 spec.

Given the IE doesn't even fully implement the v1 cookie spec, I would
estimate the chances of it being spec compliant with v2 cookies
somewhere rather close to zero. IE's user base may be declining but it
is still a very large percentage.

It may be possible to implement some form of custom extension but doing
that without touching any of the javax.servlet classes would be tricky
at best (and we can't touch them since that would break the spec).

Your best bet may be to just set the cookie header manually. That won't
help with session cookies since Tomcat creates those.

Lobbying the Servlet EG has been known to get the spec changed if a
strong argument is presented (eg httpOnly support in cookies).


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message