https://bz.apache.org/bugzilla/show_bug.cgi?id=59655
Bug ID: 59655
Summary: The CookieNameValidator has issue that related to the
consistency
Product: Tomcat 9
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
The javax.servlet.http.CookieNameValidator has multiple implementations.
If the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system property
is not specified, the javax.servlet.http.NetscapeValidator will be used in
default.
The NetscapeValidator allows HTTP separators (excluding semi-colon, comma and
white space) in the cookie name.
However, the Rfc6265CookieProcessor and the LegacyCookieProcessor do not allow
HTTP separators in the cookie name.
As a result, although Tomcat sends cookie header that include HTTP separators
in the cookie name, the Tomcat can not receive the cookie header.
I think that it lacks consistency.
The CookieNameValidator and the CookieProcessor should be the consistency.
On the other hand, the implementation of CookieNameValidator to use can be
switched by the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system
property, but can not be switched per Context, like the CookieProcessor.
I think that setting of the CookieNameValidator per Context is more useful.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
