tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hedrick, Brooke - 43" <brooke.hedr...@rainhail.com>
Subject RE: Tomcat 8.5.5 (8.5+) Default Cookie Processor breaks persistent cookies for all IE versions
Date Mon, 07 Nov 2016 18:28:16 GMT
Thanks Mark and everyone else.  I appreciate all of the sentiments.  It is very annoying that
MS can't get on the bus for something like this, even in Edge.  But as you said IE remains
the default corporate browser on Windows.

I appreciate your working on this.


Brooke Hedrick

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Monday, November 07, 2016 9:25 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat 8.5.5 (8.5+) Default Cookie Processor breaks persistent cookies for all
IE versions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Stefan,

On 11/6/16 4:31 AM, Stefan Mayr wrote:
> Am 05.11.2016 um 23:58 schrieb Mark Thomas:
>> While we could make a stand on this particular point, I suspect that 
>> Microsoft won't even notice and all it will do is make life difficult 
>> for our users. As annoyed as I am with Microsoft about this, making 
>> life difficult for Tomcat users is not what this community is about. 
>> As much as it pains me to say it, I think we are going to have to 
>> work around this.
>> 
>> Maybe an new option: 
>> enableWorkaroundForBrokenMicrosoftCookieHandling
>> 
>> Seriously, we need to decide if this needs to be configurable or not. 
>> Given that RFC6265 allows both expires and max-age to be sent and the 
>> the legacy processor sends both by default I'm currently leaning 
>> towards just sending both in the RFC6265 processor.
> 
> +1 sending both headers
> 
> Assume the following: people upgrade Tomcat and the app stops working 
> in IE (most corporate users default browser). They will blame Tomcat - 
> not IE. Why should we risk to damage Tomcats reputation if sending 
> both headers is still standards compliant?
> This "hack" seems quite acceptable for me. Adding a configuration 
> option for a "strict" mode would make it easier to test future browser 
> implementations with real applications.

I'm +1 on adding an option, and I think it should be enabled *by default*. The name of the
option should be more clear about what it actually does rather than "fix cookies for stupid
MSIE" (as satisfying as that would be).

It should be something more like supplyExpiresAndMaxAgeWithCookies.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYIJzaAAoJEBzwKT+lPKRYPHAQAL/zTmi/A4wdWUVoWZlSM+Jd
jrxpewT/a2QmhFChpTworCYGk8U4qkfPwuCuh8SEc91+5e8RuUiUQH+HAmnzjaHc
f/h40HJIE3EFdKQVt5+QLagrD0XTlt/p+AjmlyEVVlTDAGqx67JX9NaFjvRe0GD+
7i3BgBJeuw9Mo4rAVZmOtTkW1njR+1I066Bq1X8+fK48u7Btq4rJgOjiVmNTjPax
HhemAPtg/rgaNFCM/TmWdCj1XfmVHHlwwoWxbvn+fPO2IXBJccNBscxZBjaeOvuD
lXjzvsHxeWMxa9JkqgwBxQQNeE2PZNd5od5nbayhhpehhqAMEjKlKhPGx/SHZno9
thNxvhQ+3x0u7JzZMgZi2dVsmZSa7vWAiGLdJHWzpiyQI7m9vwYMMlr/d8s5irXi
NR6nhf/dyjEKbSNqEqEKH+oJHblkEedcKn5vaLMKFTpD1dT5itvslGum3PdyJgAj
647qnxJnkhRJkZ5zxwO1KHSIQjcQRZHrKsWMWsuh2rJbchwvvi9q7Ts/uBc+nRO6
idfWUr5SqLaC7a/HA9zq7jeJwfqAWyu3fC2ZZFMctKq7K6+Ebf8wH4PhUD5vov8O
3GfOh2im+6IrAepMDCZJxcSgFRRi+Xbsd+kaw8YLQh2utCkrgBjmvkKxOrSIfcVq
PFQuAUNv3sDqmEPsJuKv
=kL5K
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message