https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
Mark Thomas <ma...@apache.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WONTFIX Status|REOPENED |RESOLVED --- Comment #12 from Mark Thomas <ma...@apache.org> --- This particular behaviour relates to exactly what should be presented to, and returned from, the Servlet API. The Servlet spec is silent on this issue. What the Tomcat developers opted for was the general aim of symmetric, consistent round-trip behaviour. For any valid value it should be possible to create a Cookie with a given value, add it to the response and then retrieve the same value from the next request. For RFC 2109 cookies (anything with an explicit version of 1 or 0) - unquoted values that require quoting to be valid are automatically quoted and escaped to make them valid - any quotes and escaping in received values is retained. Because of the various edge cases around quoting RFC2109 cookies, keeping the values as quoted made handling simpler and less likely to do the wrong thing. The quotes are always removed from received RFC 6265 cookies (anything without an explicit version of 1 or 0). Tomcat also strips quotes before generating the Cookie header for RFC 6265 cookies. Because there is no escaping in RFC 6265 and because quotes are not allowed in values, removing them was much simpler (and generally is what applications expect). There are a lot of edge cases in all of this and no single solution that works perfectly for everyone. The current behaviour has evolved over a long period of time to a solution that works for most users, most of the time and configuration options to cover the majority of edge cases. As such, changes are unlikely but not impossible (e.b. bug 60627). Ultimately, the last major refactoring added the CookieProcessor interface which enables any user to essentially completely customise the cookie handling on a per application basis. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org