A new vendor were evaluating to processes XML through our site (Telephony support via XML) now claims (indirectly) that Tomcat 3.2.3 has incorrectly implemented the specification for Cookies, more specifically in the use of the Path attribute. The container is throwning an exception when they call back to us with a cookie named Path, which is of-couse illegal. All we create is a Session object which in turn creates the Cookie with JSESSION and its associated attributes.
After reading the IETF RFC2109 (two or three times) it also seems clear to me that the Path attribute is permitted to have quotes around it (Section 5.1 Examples uses them ) and that Tomcat is doing it right. They claim that browsers don't necessarily enforce the spec and that's why the browsers works against the rest of the site but the XML traffic from their site doesn't. I think this is a load of crap especially since everything broke after they updated their software and the app subsequently stopped working. I saw bug #231 related to a fix in 3.3 but related to high volume which we're not and the bug (#231) could not be reproduced. Will have my team try TC 3.3 on Moday but I don't think anything is going to change. So to the question, is there a governing body that has newer, more complete definition of the Cookie specification that I should have read, is Bug #231 really related to our problem, or is it time for a heart-to-heart with these guys. Thanks, John Moore
