Hi Mark, thanks for the quick reply. How can i realize option 1? How can i configure STRICT_SERVLET_COMPILANCE?
thanks, Joerg Mark Thomas <ma...@apache.org> 07.09.2009 15:17 Please respond to "Tomcat Users List" <users@tomcat.apache.org> To Tomcat Users List <users@tomcat.apache.org> cc Subject Re: Cookie value with equal sign getting truncated Joerg Schaefer wrote: > It seems, that Tomcat doesn't allow a "= " sign in the cookie value. It is the cookie specs that doesn't allow unquoted '=' and Tomcat got stricter about enforcing the specs as a result of a couple of security vulnerabilities. > If there is a "=" it put the value into "" -signs. Yep - as per the spec. Values that contain '=' have to be v1 cookies and have to be quoted. > This problem occurs with Tomcat 6.0.18. The cookie changes started in 6.0.14 and caused various regressions. The 6.0.18+ behaviour (ie the auto switching to v1 cookies) was added to help those apps that used '=' in the value and couldn't easily fix this themselves. > Are there a workarounds available to disable this behavior? Your options are: 1) Have v0 cookies with '=' treated as invalid (use STRICT_SERVLET_COMPILANCE) 2) Have Tomcat automatically switch the cookie to v1 and add the quotes (the default) 3) Don't use '=' in cookie values (ie change your app) Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** DEPARTMENT DISCLAIMER ***
