https://issues.apache.org/bugzilla/show_bug.cgi?id=55920
Bug ID: 55920
Summary: Quotes should not be removed from quoted cookie values
Product: Tomcat 8
Version: trunk
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
When a Cookie header is passed in "Netscape" format (with no RFC2109 $Version
specified), quotation marks around the cookie value are stripped by
Cookies#processCookieHeader.
As I read RFC2109, the user-agent is required to send a "cookie-version" at the
start of the header. The "value" is defined by what was received in the
SetCookie header from the server:
The value of the cookie-version attribute must be the value from the
Version attribute, if any, of the corresponding Set-Cookie response
header. Otherwise the value for cookie-version is 0.
RFC2965 has equivalent language.
RFC6265 (proposed) and Netscape do not require a "cookie-version" to be sent.
RFC6265 defines "cookie-value" as including the DQUOTE characters and such a
interpretation is consistent with Netscape.
User-agent support for RC2109/2965 seems limited. Initial testing with Chrome
shows that it appears to retains quotation marks around cookie values even when
RFC2109 Version=1 cookies are set.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
