tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes
Date Wed, 01 Mar 2017 20:39:21 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

--- Comment #13 from Markus Malkusch <markus@malkusch.de> ---
Then let me add more details to the described case: The intended symetric round
trip behaviour was not given. The Cookie was initially created with the Servlet
API (containing only alphanumeric characters), which sends a Set-Cookie header
without quotes (Set-Cookie: userId=foo;Max-Age=15552000;path=/).

It was the user agent (Dalvik/2.1.0 (Linux; U; Android 5.1; A2 Build/LMY47I))
which then continued to send it back with quotes. I couldn't find anything in
the related RFCs which forbids this, so I assume it's a possible and valid
behaviour.

I think it's wrong in this case to expose those quotes to the application
programmer. It is unexpected and leads to errors in application.

However it is currently a rare case. I observe it once every 5k requests.
Application programmers can easily mitigate the issue themselves, if they only
knew.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message