Cookies with special symbols in its values aren't properly saved
----------------------------------------------------------------
Key: WICKET-2577
URL: https://issues.apache.org/jira/browse/WICKET-2577
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.4.4
Reporter: Michael Mikhulya
Cookies with special symbols in its values aren't properly saved and as result
of it aren't properly loaded.
The real example is usage of email name as a login in a login form with
"remember me" feature.
The problem is that email name contains '@' symbol which is inside "tspecials"
set according to rfc2068 (2.2), and so can't be used in cookie value.
The possible solution to this issue is to use "quoted-string" instead of
"token", as described in rfc2109 (4.1).
To workaround this problem I override getValuePersister class of a Form class:
@Override
protected IValuePersister getValuePersister() {
return new CookieValuePersister() {
@Override
public void save(String key, String value) {
super.save(key, "\"" + value + "\"");
}
};
}
Without this workaround loaded value is just "username" instead of
"[email protected]".
I believe the proper place to fix it in a Cookie class, but probably there are
some historical reasons to don't follow RFC.
E.g. in a jetty servlet-api-2.5-6.1.9 you can see following code:
// Note -- disabled for now to allow full Netscape compatibility
// from RFC 2068, token special case characters
//
// private static final String tspecials = "()<>@,;:\\\"/[]?={} \t";
private static final String tspecials = ",; ";
But issue exists in tomcat implementation of servlet-api too and also depends
on browser.
So I suggest to add workaround in wicket. Probably we should add quotes only if
tspecials are contained inside cookie value, but in my workaround I don't care
about two extra chars and also don't check whether value is already quoted.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
