Hi all,
The IETF HTTP working group is working on RFC 6265bis (the RFC that will
replace RFC 6265). I have been reviewing the changes to see what impact
they might have on Tomcat and our users.
There are a few changes (e.g. SameSite) we have already implemented.
There are quite a few changes that I think don't impact us.
And then there is this:
Cookie: apple
Current Tomcat interprets that as name="apple" value=""
RFC 6265 says any name-value-pair from a Set-Cookie string without an
"=" should be ignored and the Cookie headers should always use = between
the name and the value.
RFC 6265bis would required name="", value="apple" when using the relaxed
(receiver) parsing. The strict (sender) syntax does not allow a cookie
without a name.
RFC 6265bis does appear to be consistent with browser intention [1] (at
least intentions 10 years ago anyway).
So we are currently:
- accepting a cookie RFC 6265 says we should ignore
- interpreting it the opposite way to apparent browser intention
- interpreting it the opposite way to likely RFC 6265bis requirements
Given the above, I do wonder to what extent applications are actually
using these cookies.
So, what should we do?
I think we need a new configuration option named "noEqualsCookie"
(suggestions for a better name welcome) with three options:
- ignore
- name
- value
Tomcat 9, 10 & 11 have the default set to name so there is no change.
Tomcat 12 has the default set to value.
Thoughts?
Mark
[1] https://lists.apache.org/thread/w2ovto22r4mbvh0o307fvljvbkfsvzb4
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
