tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kyohei Nakamura <>
Subject Re: About CookieNameValidator
Date Thu, 02 Jun 2016 08:41:03 GMT
Hi all,

I created a Bugzilla issue related to the previous mail.

What do you think this?

Best regards,
Kyohei Nakamura

2016-05-23 15:48 GMT+09:00 Kyohei Nakamura <>:

> Hi all,
> I think that the CookieNameValidator has issue that related to the
> consistency.
> The javax.servlet.http.CookieNameValidator has multiple implementations.
> If the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system
> property is not specified, the javax.servlet.http.NetscapeValidator will be
> used in default.
> The NetscapeValidator allows HTTP separators (excluding semi-colon, comma
> and white space) in the cookie name.
> However, the Rfc6265CookieProcessor and the LegacyCookieProcessor do not
> allow HTTP separators in the cookie name.
> As a result, although Tomcat sends cookie header that include HTTP
> separators in the cookie name, the Tomcat can not receive the cookie header.
> I think that it lacks consistency.
> The CookieNameValidator and the CookieProcessor should be the consistency.
> On the other hand, the implementation of CookieNameValidator to use can be
> switched by the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING
> system property, but can not be switched per Context, like the
> CookieProcessor.
> I think that setting of the CookieNameValidator per Context is more useful.
> Best regards,
> Kyohei Nakamura

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message