-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 4/1/15 10:27 AM, André Warnier wrote: > André Warnier wrote: >> Mark Thomas wrote: >>> On 01/04/2015 11:53, André Warnier wrote: >>> >>> <snip/> >>> >>>> By curiosity, I was trying to find the relevant RFCs, to see >>>> if "ä" is a valid name for a cookie. I am not sure.. >>>> >>>> Cookies are defined in RFC6265 >>>> (http://tools.ietf.org/html/rfc6265). That document defines >>>> the cookie-name as a "token", and refers to RFC2616 for the >>>> definition of token. RFC2616 >>>> (http://tools.ietf.org/html/rfc2616#section-2.2) defines a >>>> "token" as a series of CHAR's, which in turn are defined as >>>> >>>> CHAR = <any US-ASCII character (octets 0 - 127)> >>>> >>>> >>>> So that would tend to say that "ä" is not a valid name for a >>>> cookie ? >>> >>> The rules for cookie names are stricter than those for cookie >>> values. I believe the OP was asking about cookie values. >> >> I wasn't sure. The example given to reproduce it was of doing >> >> "document.cookie='ä=0';" >> >> "in the development console of the browser". Does that create a >> Cookie header with "ä" in the cookie name, or in the value ? >> >>> >>> That said, no cookie spec allows 0x80 to 0xFF in the cookie >>> name or value. >>> >>> Tomcat's RFC 6265 cookie processor explicitly relaxes this >>> restriction for cookie values to support interoperability with >>> non-compliant clients and applications (since it can be done >>> safely). >>> >> >> It apparently solves the OP's problem for now, which is nice. >> >> But maybe Peter should be made aware of the fact that this is a >> Tomcat-only solution. There is no guarantee that if his proxy >> application is ported to another servlet container, it would work >> in the same way. Those cookies are apparently invalid as per the >> RFC's, so another container may still reject them. >> >> > P.S. It is on the other hand an interesting question in a generic > sense. What should "a good proxy" do in such a case ? accept the > invalid cookie header and pass it on to the target server unchanged > ? or should it reject it and not forward the request ? I'm sure > there is an RFC about that too.. http://wiki.apache.org/tomcat/Cookies You might want to have a stiff drink in front of you to read that. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVHAyvAAoJEBzwKT+lPKRYxhcP/0xYhBtBchRnYgteZ7uDwqjr wz8il9a9ZQlOofrmkq2iepVKw9I0UIE4xFn3EKOMO3TS4JvJaeOajx61TZ5UTMj0 Mb+uWQUh2gEvR5im8QthjwcS3EjZ03kJNBC3h69PiWPM8XKsKj9a5KpZ7d3pQx3j 0fsdScUUUDHuV0AJKZ9INla+dEm2hRNQMKilQOhgAjhPmLE8ecf4d0LNy/ZdBNb6 bcdtDutc7tsss3HUrnEBlzeXJTyJSEpT+p1X++qp9nGlMmufwkeagzCOr38X84Jf VsgZKNFELvyvENtMvvUevKwdTm7usJz2YS2LF3N5JYK0SFyaKTAiYbqm2rpOsjCZ 94c0pEuwKGaFIevSp/rNYfMiYYVbX5muzXtN0d0PuO52s6RSh7RaXqRw1U/VqgmD oA+PtErmm0T3uokkvdpi4MFONcqj4RF/SlHXDeMElW/TqPO33exP69uCeU4b4LfA 30+iFVo0bkkBuj8Qtb3weot00Us7351ygoaYFyx0QK8wdq/QXB4DcpbG/RjvEIdB buWk/b2ydtuB2adreQZ9zUANd2es8JMWyH/ejIiQKjiJOi0yeAtwWHjQ5974L0BB 7OBegFShvuYIEPP/G35jo+o3DUAGzY//IJvRA5mHIIgDN5GjZSmknkUhTloOrWx1 Srj4is9cfdOGcXZPYXMp =PC6B -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
