tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Callinswood,Kevin,VEVEY,GLOBE BTC" <>
Subject RE: cookie issue with Tomcat 7 - does not accept the character "é"
Date Sun, 02 Feb 2014 20:19:35 GMT
We have a cookie generated by the home page of our intranet as follows: 

Cookie:  GetUser_Properties="abc","abc","abc","abc","abc","abc","abc","abc","abc";

If you put an é in the first parameter e.g. 
Cookie:  GetUser_Properties="abcé","abc","abc","abc","abc","abc","abc","abc","abc"; 
Then we get result = 200 (success)

If you put an é in any other parameter e.g. 
Cookie:  GetUser_Properties="abc","abcé","abc","abc","abc","abc","abc","abc","abc"; 
Then we the HTTP error = 500.

It's a strange one, and I guess the "é" in the 1st position should also generate HTTP 500
error but it doesn’t.  However, my main concern is that the "é" could appear in any position
in the cookie, and therefore we have an issue.

Thanks, Kevin.

-----Original Message-----
From: Christopher Schultz [] 
Sent: dimanche 2 février 2014 21:00
To: Tomcat Users List
Subject: Re: cookie issue with Tomcat 7 - does not accept the character "é"

Hash: SHA256


On 2/2/14, 2:31 PM, Callinswood,Kevin,VEVEY,GLOBE BTC wrote:
> We have upgraded to Tomcat 7 from Tomcat 6 and we are now facing 
> issues due to some of the standard company cookies containing an "é".
> Tomcat 6 accepted the "é" but upgrading to Tomcat 7 we get an error if 
> the "é" is any parameter except for the 1st position.

What you do mean "any parameter except for the 1st position"? You said this was about cookies...

> The error received is:
> SEVERE: Error processing request
> java.lang.IllegalArgumentException: Control character in cookie value 
> or attribute.

Can you give a protocol dump including byte-translation? For example, é is usually expressed
as 0xc9 and appears in ISO-8859-1 as a single byte. Since it's in the top-half of the ISO-8859-1
character set,
UTF-8 requires that it be represented by two bytes: 0xc3 0xa9

Without quoting, unquoted Cookie names and values may be any US-ASCII character from 0x32
- 0x7e except for any of ("(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <">
| "/" | "[" | "]" | "?" | "=" | "{"
| "}" | SP | HT). None of the characters above are within that range,
so the cookie value must be quoted. (It looks to me like Cookie names must always be in US-ASCII...
I didn't think that was the case but I'm not motivated to track-down every word of the spec
looking for justification).

What is the character encoding of the request? What client are you using? Who created the
cookie in the first place?

> I have tried playing around with the parameters in the 
> file but with no success.  Is there a way to 
> remove all checking of cookies ?

Tomcat has become more standards-strict in version 7. This page should give you a bit of insight,
though it is quite technical:

> Possible solutions are to revert to Tomcat 6, change web server, or 
> encode the cookies.  We are planning a go-live a week from now so 
> reverting to Tomcat 6 seems to be the solution in the short term.

You decided to start testing with a new major application server version 1 week before deployment?
Hmm. Sounds like using Tomcat 6 is the right short-term move. You really need to identify
the problem,
though: it's only going to get worse.

Now, if you had Tomcat 6 create those cookies and the client is sending them back tom Tomcat
7, then you may want to expire those old cookies and see what a Tomcat 7 roundtrip looks like.
Tomcat 7 may be more properly encoding the cookies in the first place, solving the problem
before it begins.

- -chris
Version: GnuPG v1
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message