Re: cookie containing umlaut

Wed, 01 Apr 2015 08:51:17 -0700 

Christopher Schultz wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

André,

On 4/1/15 10:27 AM, André Warnier wrote:

André Warnier wrote:

Mark Thomas wrote:

On 01/04/2015 11:53, André Warnier wrote:

<snip/>


By curiosity, I was trying to find the relevant RFCs, to see
if "ä" is a valid name for a cookie.  I am not sure..

Cookies are defined in RFC6265
(http://tools.ietf.org/html/rfc6265). That document defines
the cookie-name as a "token", and refers to RFC2616 for the
definition of token. RFC2616
(http://tools.ietf.org/html/rfc2616#section-2.2) defines a "token" as a series of CHAR's, which in turn are defined as 

CHAR           = <any US-ASCII character (octets 0 - 127)>


So that would tend to say that "ä" is not a valid name for a
cookie ?

The rules for cookie names are stricter than those for cookie
values. I believe the OP was asking about cookie values.

I wasn't sure.  The example given to reproduce it was of doing

"document.cookie='ä=0';"
"in the development console of the browser". Does that create a Cookie header with "ä" in the cookie name, or in the value ? 


That said, no cookie spec allows 0x80 to 0xFF in the cookie
name or value.

Tomcat's RFC 6265 cookie processor explicitly relaxes this
restriction for cookie values to support interoperability with
non-compliant clients and applications (since it can be done
safely).


It apparently solves the OP's problem for now, which is nice.
But maybe Peter should be made aware of the fact that this is a Tomcat-only solution. There is no guarantee that if his proxy 
application is ported to another servlet container, it would work
in the same way. Those cookies are apparently invalid as per the
RFC's, so another container may still reject them.
P.S. It is on the other hand an interesting question in a generic sense. What should "a good proxy" do in such a case ? accept the invalid cookie header and pass it on to the target server unchanged 
? or should it reject it and not forward the request ? I'm sure
there is an RFC about that too..


http://wiki.apache.org/tomcat/Cookies

You might want to have a stiff drink in front of you to read that.



Oh, I see.  And me naively thinking this was a simple matter..
Respect.
A few stiff drinks might be more in order.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to