I think the default was just to preserve compatibility with previous (albeit broken) versions. I can't think of any security issue or any other reason why you would want malformed cookies to get into your app code.
Chuck On Feb 10, 2011, at 12:14 PM, Dov Rosenberg wrote: > We came across a strange issue that took a bit to figure out but thought it > would be worthwhile to let everyone else know what happened > > Problem > Some users were having trouble saving a form (WOComponent based) > intermittently. Normally these kinds of problems are nearly impossible to > figure out unless you get lucky. We got lucky. > > Root Cause > Looking thru the log files we saw a handful of error messages that looked like > > 410901380 [http-8228-Processor2] WARN er.extensions.appserver.ERXRequest - > java.lang.IllegalStateException: Malformed cookie content: > > The default OOTB behavior of WebObjects is to throw an exception when a > malformed cookie is detected in the HTTP Request. This disrupts the normal > HTTP request/response loop which played hell with our WOComponent. > > The malformed cookie was being set by another web site in their domain that > was using Google Analytics. Not sure what the problem was with the cookie – > saw one that URL encoded 4 times over and another with a null value. > > Solution > Thankfully the WO folks realized that throwing an exception while processing > cookies might be a bad thing (default behavior) that they added an > initialization parameter to change the default behavior to something more > sensible. By setting WOAcceptMalformedCookies=true all cookies will be > accepted but the malformed ones will be dropped and not processed. After > changing the default behavior our app stopped misbehaving. > > Not sure if changing the default behavior is a good thing from a security > perspective but it did resolve the error for us. Anyone have any thoughts on > the impact of this change? > > Dov Rosenberg > InQuira > > > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list ([email protected]) > Help/Unsubscribe/Update your Subscription: > http://lists.apple.com/mailman/options/webobjects-dev/chill%40global-village.net > > This email sent to [email protected] -- Chuck Hill Senior Consultant / VP Development Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems. http://www.global-village.net/products/practical_webobjects
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
