tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: Tomcat 8.5.4 and LegacyCookieProcessor
Date Thu, 18 May 2017 18:12:40 GMT
> From: jared.paul.walker@gmail.com [mailto:jared.paul.walker@gmail.com] On Behalf Of Jared
Walker
> Subject: Tomcat 8.5.4 and LegacyCookieProcessor

> We are migrating to the version of tomcat identified in the subject

Before exposing an almost year-old version to the nasty real world, you might want to look
at this:
        http://tomcat.apache.org/security-8.html
and then pick a newer level (hint: 8.5.15 would be good).

> 1. What are the security and compatibility concerns when using the
> legacy processor

Sorry, can't answer that one.

> 2. The header for LegacyCookieProcesor.java explicitly states: "This
> class is not thread-safe."

> Can someone here with background knowledge explain exactly whats not
> thread-safe about the processor?  Does this mean you cannot use it for
> multiple simultaneous requests (pretty hindering for a server) or does
> this mean that you cannot have multiple threads parse the cookie
> contents of a request in parallel (which isn't a very normal thing to
> do)?

It's neither, really; there is one instance of CookieProcessor per <Context>, and the
fields within LegacyCookieProcessor that make it not thread-safe are only set (in Tomcat)
when the <Context> is initialized.  Were you to dynamically reset the fields while requests
were in progress, you could get in trouble.  The fields are described here:

http://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message