tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kyohei Nakamura <nakamura.kyohei....@gmail.com>
Subject Re: About CookieNameValidator
Date Thu, 02 Jun 2016 08:41:03 GMT
Hi all,

I created a Bugzilla issue related to the previous mail.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59655

What do you think this?


Best regards,
Kyohei Nakamura


2016-05-23 15:48 GMT+09:00 Kyohei Nakamura <nakamura.kyohei.lab@gmail.com>:

> Hi all,
>
> I think that the CookieNameValidator has issue that related to the
> consistency.
>
> The javax.servlet.http.CookieNameValidator has multiple implementations.
> If the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system
> property is not specified, the javax.servlet.http.NetscapeValidator will be
> used in default.
>
> The NetscapeValidator allows HTTP separators (excluding semi-colon, comma
> and white space) in the cookie name.
> However, the Rfc6265CookieProcessor and the LegacyCookieProcessor do not
> allow HTTP separators in the cookie name.
> As a result, although Tomcat sends cookie header that include HTTP
> separators in the cookie name, the Tomcat can not receive the cookie header.
> I think that it lacks consistency.
> The CookieNameValidator and the CookieProcessor should be the consistency.
>
> On the other hand, the implementation of CookieNameValidator to use can be
> switched by the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING
> system property, but can not be switched per Context, like the
> CookieProcessor.
> I think that setting of the CookieNameValidator per Context is more useful.
>
> Best regards,
> Kyohei Nakamura
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message