[jira] Resolved: (WICKET-2577) Cookies with special symbols in its values aren't properly saved

Thu, 26 Aug 2010 21:07:37 -0700 

     [ 
https://issues.apache.org/jira/browse/WICKET-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Igor Vaynberg resolved WICKET-2577.
-----------------------------------

      Assignee: Igor Vaynberg
    Resolution: Won't Fix

see WICKET-2842 for how to make this work

> Cookies with special symbols in its values aren't properly saved
> ----------------------------------------------------------------
>
>                 Key: WICKET-2577
>                 URL: https://issues.apache.org/jira/browse/WICKET-2577
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 1.4.4
>            Reporter: Michael Mikhulya
>            Assignee: Igor Vaynberg
>
> Cookies with special symbols in its values aren't properly saved and as 
> result of it aren't properly loaded.
> The real example is usage of email name as a login in a login form with 
> "remember me" feature.
> The problem is that email name contains '@' symbol which is inside 
> "tspecials" set according to rfc2068 (2.2), and so can't be used in cookie 
> value.
> The possible solution to this issue is to use "quoted-string" instead of 
> "token", as described in rfc2109 (4.1).
> To workaround this problem I override getValuePersister class of a Form class:
>               @Override
>               protected IValuePersister getValuePersister() {
>                       return new CookieValuePersister() {
>                               @Override
>                               public void save(String key, String value) {
>                                       super.save(key, "\"" + value + "\"");
>                               }
>                       };
>               }
> Without this workaround loaded value is just "username" instead of 
> "[email protected]".
> I believe the proper place to fix it in a Cookie class, but probably there 
> are some historical reasons to don't follow RFC.
> E.g. in a jetty servlet-api-2.5-6.1.9 you can see following code:
>     // Note -- disabled for now to allow full Netscape compatibility
>     // from RFC 2068, token special case characters
>     // 
>     // private static final String tspecials = "()<>@,;:\\\"/[]?={} \t";
>     private static final String tspecials = ",; ";
> But issue exists in tomcat implementation of servlet-api too and also depends 
> on browser.
> So I suggest to add workaround in wicket. Probably we should add quotes only 
> if tspecials are contained inside cookie value, but in my workaround I don't 
> care about two extra chars and also don't check whether value is already 
> quoted.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to