-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 4/26/17 2:55 PM, Mark Thomas wrote: > On 26/04/17 19:07, Christopher Schultz wrote: > > <snip/> > >> The log message says that the value of the cookie is >> "mqpp=1,kiosk=true" (without the quotes). >> >> The offending character (decimal 44... I was surprised it wasn't >> a hex value) is a comma. I think either the Cookie class or >> Tomcat is mis-managing my cookie value. I was expecting >> Cookie/Tomcat to just "make it work" regardless of the value I >> tried to put into the cookie. >> >> This has worked without any problems prior to Tomcat 8.5.x. >> >> The javadoc for Cookie.setVersion says that when version=1, >> cookie values should confirm to 2109, but since Tomcat is now >> using RFC 6265 perhaps there is conflict between the two? > > In short, yes there is a conflict. :( That's what I feared. > RFC 6265 does not permit ',' (and a bunch of other characters) to > be used in the value and provides no escape or encoding syntax for > including these characters. Fabulous. > RFC 2109 allows quoted string to be used. In this Tomcat can (and > will) do what needs to be done to make the cookie value 'just > work'. So does 6265 just basically do-away with all attempts to quote things and say "if you want weird stuff in there, use base64"? >> Is there a way I can make both javax.servlet.http.Cookie and >> Tomcat 8.5.x+ happy? I can easily manually-quote this cookie >> value in whatever way is required. > > You could switch to the LegacyCookieProcessor. Other than that, > you'd need to find a different delimited for the values in you > Cookie. I'd prefer not to fall-back to the LegacyCookieProcessor because default s. I'll probably use base64, then none of this will ever be a problem again. Unless "=" isn't allowed in there. But my cookie has two of those, and Tomcat didn't complain, so it's probably okay. >> Or is this a bug in either j.s.h.Cookie or Tomcat's RFC 6265 >> validator (or a combination of the two)?> > The RFC 6265 spec (and hence CookieProcessor) is (arguably) not > fully compliant with the Servlet spec. Okay, good to know that this is at least an *expected* incompatibility and not that I'm specifically doing anything wrong. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZAPFbAAoJEBzwKT+lPKRY458P/j/yUdgwK6H/N8Nwi73uHeyS k+ydc8O85Og60tdqsAtAiSq1lM/r2mK4cV/4LCh+8AmKmci1pCqX67728QkpNoFv kmejpjJZd10NZ4oEm60lrhhtgpUlPUwKXso5cxZb/15ngyOhk4LH15S6tEnFSxg5 nPpWS4/LJYs4GC/4Q+2T65y7EbaaMQQhZ5Vt3YbdIOi9aW2Ov+IJPOzHey3Yc0fo U5tIEQgKI4Zo3uXyq45ahpfA5cITp502mx0pLNw+SqWJpzR5WJE4GeXoSIPRk8Q0 HAYulpRJvoPA1tKOfpFdrTN5cjLqfXn4/HUQDUzArYu+f0mgonm8iZnjvastH5aW y4C7SR6134l8YvwGk2DqP+XBa+raR0FSKjBC8YBZAqTci+iquLgPKtyP1Dc1rXPs SxP3VkZudmLtSzC+JA7JJ/ZjL9HUKuv3oBXHs7IulhefGC4mKsaRa3vWUu4Iwh5o O4enbXWcmz/gakqUUljIRIhlk2osi/iy25rIfKtP/GpFI1YZQOsStPwZCVlV78Cn tCg47lUFik5rUTWYEgN/EiUq/N+WeE3z7IBx0H7tLYZt202iRmCiMc4GA3e3bbuO qdsvlxaiJl5GutgKeb81CGUbfDsyXp1Pc/+5uAjbd49eg10TzTKgq+t0iHUakdpJ TVXPvargml2J1g3Kj0oW =0dW8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
