> From: [email protected] [mailto:[email protected]] On
> Behalf Of Jared Walker
> Subject: Tomcat 8.5.4 and LegacyCookieProcessor
> We are migrating to the version of tomcat identified in the subject
Before exposing an almost year-old version to the nasty real world, you might
want to look at this:
http://tomcat.apache.org/security-8.html
and then pick a newer level (hint: 8.5.15 would be good).
> 1. What are the security and compatibility concerns when using the
> legacy processor
Sorry, can't answer that one.
> 2. The header for LegacyCookieProcesor.java explicitly states: "This
> class is not thread-safe."
> Can someone here with background knowledge explain exactly whats not
> thread-safe about the processor? Does this mean you cannot use it for
> multiple simultaneous requests (pretty hindering for a server) or does
> this mean that you cannot have multiple threads parse the cookie
> contents of a request in parallel (which isn't a very normal thing to
> do)?
It's neither, really; there is one instance of CookieProcessor per <Context>,
and the fields within LegacyCookieProcessor that make it not thread-safe are
only set (in Tomcat) when the <Context> is initialized. Were you to
dynamically reset the fields while requests were in progress, you could get in
trouble. The fields are described here:
http://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
