tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 59655] New: The CookieNameValidator has issue that related to the consistency
Date Thu, 02 Jun 2016 08:35:19 GMT

            Bug ID: 59655
           Summary: The CookieNameValidator has issue that related to the
           Product: Tomcat 9
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina

The javax.servlet.http.CookieNameValidator has multiple implementations.
If the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system property
is not specified, the javax.servlet.http.NetscapeValidator will be used in

The NetscapeValidator allows HTTP separators (excluding semi-colon, comma and
white space) in the cookie name.
However, the Rfc6265CookieProcessor and the LegacyCookieProcessor do not allow
HTTP separators in the cookie name.
As a result, although Tomcat sends cookie header that include HTTP separators
in the cookie name, the Tomcat can not receive the cookie header.
I think that it lacks consistency.
The CookieNameValidator and the CookieProcessor should be the consistency.

On the other hand, the implementation of CookieNameValidator to use can be
switched by the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system
property, but can not be switched per Context, like the CookieProcessor.
I think that setting of the CookieNameValidator per Context is more useful.

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message