Thanks Mark and everyone else. I appreciate all of the sentiments. It is very annoying that MS can't get on the bus for something like this, even in Edge. But as you said IE remains the default corporate browser on Windows.
I appreciate your working on this. Brooke Hedrick -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, November 07, 2016 9:25 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Tomcat 8.5.5 (8.5+) Default Cookie Processor breaks persistent cookies for all IE versions -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Stefan, On 11/6/16 4:31 AM, Stefan Mayr wrote: > Am 05.11.2016 um 23:58 schrieb Mark Thomas: >> While we could make a stand on this particular point, I suspect that >> Microsoft won't even notice and all it will do is make life difficult >> for our users. As annoyed as I am with Microsoft about this, making >> life difficult for Tomcat users is not what this community is about. >> As much as it pains me to say it, I think we are going to have to >> work around this. >> >> Maybe an new option: >> enableWorkaroundForBrokenMicrosoftCookieHandling >> >> Seriously, we need to decide if this needs to be configurable or not. >> Given that RFC6265 allows both expires and max-age to be sent and the >> the legacy processor sends both by default I'm currently leaning >> towards just sending both in the RFC6265 processor. > > +1 sending both headers > > Assume the following: people upgrade Tomcat and the app stops working > in IE (most corporate users default browser). They will blame Tomcat - > not IE. Why should we risk to damage Tomcats reputation if sending > both headers is still standards compliant? > This "hack" seems quite acceptable for me. Adding a configuration > option for a "strict" mode would make it easier to test future browser > implementations with real applications. I'm +1 on adding an option, and I think it should be enabled *by default*. The name of the option should be more clear about what it actually does rather than "fix cookies for stupid MSIE" (as satisfying as that would be). It should be something more like supplyExpiresAndMaxAgeWithCookies. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYIJzaAAoJEBzwKT+lPKRYPHAQAL/zTmi/A4wdWUVoWZlSM+Jd jrxpewT/a2QmhFChpTworCYGk8U4qkfPwuCuh8SEc91+5e8RuUiUQH+HAmnzjaHc f/h40HJIE3EFdKQVt5+QLagrD0XTlt/p+AjmlyEVVlTDAGqx67JX9NaFjvRe0GD+ 7i3BgBJeuw9Mo4rAVZmOtTkW1njR+1I066Bq1X8+fK48u7Btq4rJgOjiVmNTjPax HhemAPtg/rgaNFCM/TmWdCj1XfmVHHlwwoWxbvn+fPO2IXBJccNBscxZBjaeOvuD lXjzvsHxeWMxa9JkqgwBxQQNeE2PZNd5od5nbayhhpehhqAMEjKlKhPGx/SHZno9 thNxvhQ+3x0u7JzZMgZi2dVsmZSa7vWAiGLdJHWzpiyQI7m9vwYMMlr/d8s5irXi NR6nhf/dyjEKbSNqEqEKH+oJHblkEedcKn5vaLMKFTpD1dT5itvslGum3PdyJgAj 647qnxJnkhRJkZ5zxwO1KHSIQjcQRZHrKsWMWsuh2rJbchwvvi9q7Ts/uBc+nRO6 idfWUr5SqLaC7a/HA9zq7jeJwfqAWyu3fC2ZZFMctKq7K6+Ebf8wH4PhUD5vov8O 3GfOh2im+6IrAepMDCZJxcSgFRRi+Xbsd+kaw8YLQh2utCkrgBjmvkKxOrSIfcVq PFQuAUNv3sDqmEPsJuKv =kL5K -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
