tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Tomcat Wiki] Update of "Cookies" by jboynes
Date Sun, 26 Jan 2014 20:49:28 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "Cookies" page has been changed by jboynes:

Update implementation progress and link to a new set of patches

  = Cookies =
+ == Implementation Progress ==
+ I started work on this in a local branch. Patches for the changes made there can be found
+ There is substantial refactoring in there to simply the current implementation. Actual changes
+  * C3 '=' is now disallowed in Netscape cookie names (it was already not allowed in RFC2109
+  * C4 Attribute names are allowed as cookies names
+  * Cookie names starting with '$' are allowed in Netscape and RFC6265 mode and will still
throw an IAE in RFC2109 mode
  == Round Trip Behaviour ==
  The following tables document how a value is sent in a Set-Cookie header, what gets stored
by a typical browser, the Cookie header that is generated by the browser and then the final
value returned to a Servlet application.
@@ -56, +64 @@

   C5 Allow unnamed cookies in C1b "netscape" mode::
   :: Allow cookies whose name is null or the empty string. Browsers will store a single cookie
that has no name whose value is sent as simply «value» (i.e. without any '=' delimiter).
This would now be supported if STRICT_NAMING is set to "netscape" but would remain disallowed
in "rfc2109" or "rfc6265" modes. If allowed, the Set-Cookie header would contain just the
value (no '=' present and an IAE if value contained an '=') and any such cookie found during
parsing would be included in the result of HttpServletRequest#getCookies().
- A candidate patch for these Cxx changes can be found here:
- This follows proposal C1 with the consequence that a "/" is not allowed in a cookie name
by default; to allow that STRICT_NAMING must be set to false (i.e. to "netscape" mode). The
test suite changes are a result of that and with them in place I have verified it still passes.
  === Changes to generation of Set-Cookie header ===
   G1 Use RFC6265 format header for V0 cookies::
   :: When version == 0 always generate a RFC6265 header, raising an exception from addCookie
if the value is invalid rather than attempting to upgrade to a RFC2109 header to use quoting.
Application impact is that they will now fail fast with an error rather than inconsistent
data as described in Bug 55920; applications that do not set invalid values will not be impacted.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message