tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hedrick, Brooke - 43" <>
Subject Tomcat 8.5.5 (8.5+) Default Cookie Processor breaks persistent cookies for all IE versions
Date Fri, 04 Nov 2016 19:10:18 GMT
Sorry if this has been already asked.   I searched the archives and didn't find what I was
looking for.

Has anyone else run into an issue with persistent cookies in Tomcat 8.5+ and IE not working?

We are seeing an issue where the new default cookie processor, org.apache.tomcat.util.http.Rfc6265CookieProcessor,
is not writing out the expires tag for the cookies.  It is only writing out max-age in the
generateHeader() method.  This is a change from the previous cookie processing.

Here's the current code:

There is documentation at
which explains the new vs legacy cookie handler and that this behavior is intentional.  It
doesn't explain that this behavior isn't limited to IE6-7.  It also affects IE8-11 and Edge
and as a result, by default, Tomcat 8.5+ does not create persistent cookies that work with
IE on any IE version.

Does it make sense that the shipping configuration would not work with IE for persistent cookies?

There are other gotchas like blank/null cookie values cause problems with the new default
processor and a leading period in the cookie domain causes issues.  We have fixed these issues
across many applications, but weren't expecting issues with persistent cookies not working
at all in IE.  The documentation on the Tomcat page alludes to IE6-7 having the issue.  It
doesn't mention the other versions.

We are looking into short term solutions (while avoiding the legacy cookie processor ) - writing
our own headers, creating a filter, ...

Another interesting observation is that the ExpiresFilter included with Tomcat still writes
both the expires and max-age attributes.

Here's a page where you can see the issue of IE not reading the max-age attribute.  On Chrome,
FF, and Safari, the test will complete after a few runs.  On IE, it runs indefinitely.

If I have missed some configuration, tested incorrectly, etc., please let me know.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message