tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE Explanation
Date Tue, 10 Nov 2015 20:05:37 GMT
On 10/11/2015 19:53, Tessler, Micah (M.B.) wrote:
> I am trying to understand the reasoning behind needing this setting: org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE=true
> When set to true, my cookie values can contain the '=' character.  
> I assume that Tomcat did not implement this setting which defaults to false  for no reason.
> I'd like to understand the cost/downside of turning this on. 
> The upside is that I can accept valid cookies that aren't truncated.

The point is that those cookies aren't valid.

> I can't find the relevant portion of rfc6265 that disallows '=' character in cookie values,
so I don't think that's it.

No it isn't. RFC6265 isn't mentioned anywhere in any Servlet
specification. The Servlet spec still refers to RFC2109. By default all
Tomcat versions up to 8.0.x use RFC2109 by default. 8.0.x can be
switched to RFC6265. Look for CookieProcessor in the docs.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message