[Bug 59703] New: RFC 6265 Cookie Processor doesn't allow cookie domains with a leading dot.

Tue, 14 Jun 2016 15:55:04 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=59703

            Bug ID: 59703
           Summary: RFC 6265 Cookie Processor doesn't allow cookie domains
                    with a leading dot.
           Product: Tomcat 8
           Version: 8.0.35
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: alex.bl...@garmin.com

In Tomcat 7 or Tomcat 8, we're seeing HTTP 500s in our access logs due to being
sent requests with cookie values containing UTF-8 characters. 
The corresponding catalina.out exception we see is this:
java.lang.IllegalArgumentException: Control character in cookie value or
attribute.
        at
org.apache.tomcat.util.http.LegacyCookieProcessor.isHttpSeparator(LegacyCookieProcessor.java:733)

A recommended fix is to instead use Tomcat 8.0.35 with the 
org.apache.tomcat.util.http.Rfc6265CookieProcessor instead in my context. 
( https://tomcat.apache.org/tomcat-8.0-doc/config/cookie-processor.html )

This fixed that problem, but introduced a new one!

My responses are now blowing up because I'm setting a leading dot on cookie
domains in my generated cookies.  I'm doing this so subdomains can see them. 
(Example: I want to set a cookie with domain '.example.com' so subdomain sites
like meh.example.com & foo.example.com would both see them.) 

Here's the exception I'm now seeing: 
java.lang.IllegalArgumentException: An invalid domain [.example.com] was
specified for this cookie at
org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:180)
at
org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:122)
 

Can someone look at fixing the validateDomain() method to allow leading dots in
cookie domains???

This usage is perfectly legal and in fact necessary for compatibility with old
browsers like IE8/9 that will ONLY allow these cookies to be seen by subdomains
IF they have that leading dot set! 
(As far as I can tell anyways, a leading dot in cookie domains IS valid.)

Thanks, -Alex

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to