Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 57A1418A8D for ; Tue, 10 Nov 2015 20:05:45 +0000 (UTC) Received: (qmail 87594 invoked by uid 500); 10 Nov 2015 20:05:42 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 87532 invoked by uid 500); 10 Nov 2015 20:05:42 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 87522 invoked by uid 99); 10 Nov 2015 20:05:42 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Nov 2015 20:05:42 +0000 Received: from [192.168.23.9] (host81-156-40-151.range81-156.btcentralplus.com [81.156.40.151]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id ECA801A012E for ; Tue, 10 Nov 2015 20:05:41 +0000 (UTC) Subject: Re: org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE Explanation To: Tomcat Users List References: <76F1AF4B33C31D409E70CADAD47D4DDD1566B709@nafmbx47.exchange.ford.com> From: Mark Thomas Message-ID: <56424E11.2050701@apache.org> Date: Tue, 10 Nov 2015 20:05:37 +0000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <76F1AF4B33C31D409E70CADAD47D4DDD1566B709@nafmbx47.exchange.ford.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit On 10/11/2015 19:53, Tessler, Micah (M.B.) wrote: > I am trying to understand the reasoning behind needing this setting: org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE=true > When set to true, my cookie values can contain the '=' character. > I assume that Tomcat did not implement this setting which defaults to false for no reason. > I'd like to understand the cost/downside of turning this on. > The upside is that I can accept valid cookies that aren't truncated. The point is that those cookies aren't valid. > I can't find the relevant portion of rfc6265 that disallows '=' character in cookie values, so I don't think that's it. No it isn't. RFC6265 isn't mentioned anywhere in any Servlet specification. The Servlet spec still refers to RFC2109. By default all Tomcat versions up to 8.0.x use RFC2109 by default. 8.0.x can be switched to RFC6265. Look for CookieProcessor in the docs. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org