thank you for your answers and short clarification. see my answers and further questions inline.
>In short: >1. Cookies are usually sent by a single multi-valued "Cookie" header. >If the header has incorrect value, then the client is sending an >incorrect request which has to be rejected as invalid (400). Why isn't the request simply rejected as invalid (400) by tomcat, instead of throwing the exception and quitting the request resulting in a blank page at the client (browser) side? Returning the "HTTP Error 400 Bad request" response would be more helpful for understanding teh failure at the client side than the blank page. >In the past broken headers were used as a tool to break security of >some web applications. E.g. to steal sessionid value. > >See CVE-2007-3385, CVE-2007-5333 >http://tomcat.apache.org/security-6.html In this case it results in preventing the client's browser to access the page, without any reason (no 400 response returned). >So I would like to be strict here. > >What is sending that value? Some web browser? The value is sent by some web browser when requesting a page. The cookie is maybe set by a third-party in order to prevent a user to access pages. We are not setting any cookies with illegal control characters intentional. We got a hint that we could have a security hole in our application. Reproducing the problem resulted in detecting that it occurs already before our application can process the request somewhere in the tomcat engine (see stacktrace). >2. If you are going to skip one cookie... that is not possible. At >best you have to skip all of them (the header as a whole), and your >web application will likely to misbehave anyway. I would prefer skipping all cookies but how can I configure tomcat to do so and not trying to read/process them? >When Tomcat deciphers the Cookie header, the header contents in memory >is being changed. So if Tomcat were changed to skip broken header, >then you will not be able to process it in your application anyway. > >In Tomcat 8 it is possible to preserve the header, but it is turned >off by default (PRESERVE_COOKIE_HEADER system property). I do not want to process the broken header at any price, but I did not found any hint how to prevent tomcat in processing such headers resulting in the mentioned behaviour. >3. What bother me is why this error is logged at severe level. The Tomcat log-level has not been changed, I'm using the default settings. The problem maybe is that the exception is not catched and the request rejected as invalid (returning 400)? Best regards, Laszlo Keszthelyi
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
