tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes
Date Wed, 01 Mar 2017 19:56:36 GMT

Mark Thomas <> changed:

           What    |Removed                     |Added
         Resolution|---                         |WONTFIX
             Status|REOPENED                    |RESOLVED

--- Comment #12 from Mark Thomas <> ---
This particular behaviour relates to exactly what should be presented to, and
returned from, the Servlet API. The Servlet spec is silent on this issue.

What the Tomcat developers opted for was the general aim of symmetric,
consistent round-trip behaviour. For any valid value it should be possible to
create a Cookie with a given value, add it to the response and then retrieve
the same value from the next request.

For RFC 2109 cookies (anything with an explicit version of 1 or 0)
- unquoted values that require quoting to be valid are automatically quoted and
escaped to make them valid
- any quotes and escaping in received values is retained.

Because of the various edge cases around quoting RFC2109 cookies, keeping the
values as quoted made handling simpler and less likely to do the wrong thing.

The quotes are always removed from received RFC 6265 cookies (anything without
an explicit version of 1 or 0). Tomcat also strips quotes before generating the
Cookie header for RFC 6265 cookies.

Because there is no escaping in RFC 6265 and because quotes are not allowed in
values, removing them was much simpler (and generally is what applications

There are a lot of edge cases in all of this and no single solution that works
perfectly for everyone. The current behaviour has evolved over a long period of
time to a solution that works for most users, most of the time and
configuration options to cover the majority of edge cases. As such, changes are
unlikely but not impossible (e.b. bug 60627). Ultimately, the last major
refactoring added the CookieProcessor interface which enables any user to
essentially completely customise the cookie handling on a per application

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message