André Warnier wrote:
Mark Thomas wrote:
On 01/04/2015 11:53, André Warnier wrote:
<snip/>
By curiosity, I was trying to find the relevant RFCs, to see if "ä" is a
valid name for a cookie. I am not sure..
Cookies are defined in RFC6265 (http://tools.ietf.org/html/rfc6265).
That document defines the cookie-name as a "token", and refers to
RFC2616 for the definition of token.
RFC2616 (http://tools.ietf.org/html/rfc2616#section-2.2) defines a
"token" as a series of CHAR's, which in turn are defined as
CHAR = <any US-ASCII character (octets 0 - 127)>
So that would tend to say that "ä" is not a valid name for a cookie ?
The rules for cookie names are stricter than those for cookie values. I
believe the OP was asking about cookie values.
I wasn't sure. The example given to reproduce it was of doing
"document.cookie='ä=0';"
"in the development console of the browser". Does that create a Cookie
header with "ä" in the cookie name, or in the value ?
That said, no cookie spec allows 0x80 to 0xFF in the cookie name or
value.
Tomcat's RFC 6265 cookie processor explicitly relaxes this restriction
for cookie values to support interoperability with non-compliant clients
and applications (since it can be done safely).
It apparently solves the OP's problem for now, which is nice.
But maybe Peter should be made aware of the fact that this is a
Tomcat-only solution.
There is no guarantee that if his proxy application is ported to another
servlet container, it would work in the same way.
Those cookies are apparently invalid as per the RFC's, so another
container may still reject them.
P.S. It is on the other hand an interesting question in a generic sense. What should "a
good proxy" do in such a case ? accept the invalid cookie header and pass it on to the
target server unchanged ? or should it reject it and not forward the request ?
I'm sure there is an RFC about that too..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
