Hi everyone, After a recent upgrade from Tomcat 8.0.28 to 8.5.11, I've noticed a syntax change in the Set-Cookie header generated by Tomcat, and I was hoping to confirm whether this is intentional or if I'm doing something incorrectly.
The background: After upgrading Tomcat, some automated tests started failing. These tests use an Apache CXF client to make requests to a service running inside Tomcat, and then make various assertions on the value of the Set-Cookie header returned from from the service. The root cause of the failure appears to be a change in the syntax used for the Set-Cookie header which resulted in parsing failures in the client. The header that's generated by Tomcat 8.0.28 looks like: Set-Cookie: cookie_name=value; Path=/ With 8.5.11, it looks like: Set-Cookie: cookie_name=value;path=/ Note the missing space after the semicolon and the change from "Path" to "path". After some digging around, I saw that the new Rfc6265CookieProcessor was changed to be the default cookie processor. When I followed instructions [1] to change back to the old processor, the original behavior was restored and my tests pass again. Is this expected behavior? I see that RFC 6265 specifies [2] that there must be a space between the semicolon and "path", and that it should be "Path" with the first letter uppercased. Taking a look at the Rfc6265CookieProcessor source code (the generateHeader method, specifically), the lack of space and lower case p appear to be intentional, yet don't seem to conform to the RFC the class is targeting. I am sure I must be missing something since this is the new default and this is such a common behavior, but I've dug around for a while and can't find another explanation. Thanks in advance for your time and help! Jim [1] http://stackoverflow.com/questions/38696081/how-to-change-cookie-processor-to-legacycookieprocessor-in-tomcat-8 [2] https://tools.ietf.org/html/rfc6265#section-4.1.1
