Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "Cookies" page has been changed by KonstantinKolinko: https://wiki.apache.org/tomcat/Cookies?action=diff&rev1=45&rev2=46 Comment: s/ issues.apache.org / bz.apache.org / :: Invalid syntax will result in a user-data log entry and cookies being dropped rather than throwing of an IAE. Application impact is that requests with an invalid Cookie header will now be dispatched to the application. "Dropping a cookie" means an invalid cookie will not appear in the list returned by !HttpServletRequest#getCookies(). An application will still be able to access the original Cookie header and may perform its own parsing. P4 Ensure that the cookie header is always available for the application to parse manually.:: - :: Stop modifying the header in-situ as part of the de-escaping process ([[https://issues.apache.org/bugzilla/show_bug.cgi?id=57896|Bug 57896]]) so that an application can elect to perform its own parsing by calling getHeader("Cookie"). Eliminate the need for the PRESERVE_COOKIE_HEADER property that currently controls whether a copy of the header is made if modifications are needed. Perform de-escaping during the copy needed to convert the !MessageBytes to the String in Cookie#value, possibly during any conversation process needed to handle UTF-8. + :: Stop modifying the header in-situ as part of the de-escaping process ([[https://bz.apache.org/bugzilla/show_bug.cgi?id=57896|Bug 57896]]) so that an application can elect to perform its own parsing by calling getHeader("Cookie"). Eliminate the need for the PRESERVE_COOKIE_HEADER property that currently controls whether a copy of the header is made if modifications are needed. Perform de-escaping during the copy needed to convert the !MessageBytes to the String in Cookie#value, possibly during any conversation process needed to handle UTF-8. === Impact of proposal on existing issues === ||<:10%>'''Issue'''||Impact|| - ||[[https://issues.apache.org/bugzilla/show_bug.cgi?id=55917|Bug 55917]]||Parsing will no longer cause an IAE. 8-bit values will be interpreted as a UTF-8 value and the cookie would be dropped if they are not a valid encoding.|| + ||[[https://bz.apache.org/bugzilla/show_bug.cgi?id=55917|Bug 55917]]||Parsing will no longer cause an IAE. 8-bit values will be interpreted as a UTF-8 value and the cookie would be dropped if they are not a valid encoding.|| - ||[[https://issues.apache.org/bugzilla/show_bug.cgi?id=55918|Bug 55918]]||The cookie would be dropped rather than accepted.|| + ||[[https://bz.apache.org/bugzilla/show_bug.cgi?id=55918|Bug 55918]]||The cookie would be dropped rather than accepted.|| - ||[[https://issues.apache.org/bugzilla/show_bug.cgi?id=55920|Bug 55920]]||Valid values would be round tripped including quotes supplied by the application. Attempts to set invalid values would result in a IAE from addCookie. Invalid values sent by the browser would result in the cookie being ignored.|| + ||[[https://bz.apache.org/bugzilla/show_bug.cgi?id=55920|Bug 55920]]||Valid values would be round tripped including quotes supplied by the application. Attempts to set invalid values would result in a IAE from addCookie. Invalid values sent by the browser would result in the cookie being ignored.|| - ||[[https://issues.apache.org/bugzilla/show_bug.cgi?id=55921|Bug 55921]]||Attempts to set a cookie containing raw JSON would results in an IAE due to the DQUOTE characters. A cookie sent from the browser containing JSON would be accepted although any semicolons in the data would result in early termination (note, browsers other than Safari do not allow semicolons in values anyway).|| + ||[[https://bz.apache.org/bugzilla/show_bug.cgi?id=55921|Bug 55921]]||Attempts to set a cookie containing raw JSON would results in an IAE due to the DQUOTE characters. A cookie sent from the browser containing JSON would be accepted although any semicolons in the data would result in early termination (note, browsers other than Safari do not allow semicolons in values anyway).|| == Parsing the Cookie header by Tomcat == The various specifications define the following formats for the Cookie header sent by the user-agent: @@ -153, +153 @@ showing codepoint U+00E1 being converted to its UTF-8 equivalent 0xC3 0xA1. This matches the behaviour defined by [[http://www.w3.org/html/wg/drafts/html/master/single-page.html#cookie|HTML5.]] ||'''Issue'''||'''Current behaviour (8.0.0-RC10/7.0.50)'''||'''Proposed new behaviour'''||'''Servlet + Netscape + RFC2109'''||'''Servlet + RFC 6265'''|| - ||0x80 to 0xFF in cookie value ([[https://issues.apache.org/bugzilla/show_bug.cgi?id=55917|Bug 55917]])||IAE||TBD||Netscape yes. RFC2109 requires quotes.||RFC 6265 never allowed.|| + ||0x80 to 0xFF in cookie value ([[https://bz.apache.org/bugzilla/show_bug.cgi?id=55917|Bug 55917]])||IAE||TBD||Netscape yes. RFC2109 requires quotes.||RFC 6265 never allowed.|| - ||CTL allowed in quoted cookie values ([[https://issues.apache.org/bugzilla/show_bug.cgi?id=55918|Bug 55918]])||Allowed||TBD||Not allowed.||Not allowed.|| + ||CTL allowed in quoted cookie values ([[https://bz.apache.org/bugzilla/show_bug.cgi?id=55918|Bug 55918]])||Allowed||TBD||Not allowed.||Not allowed.|| - ||Quoted values in V0 cookies ([[https://issues.apache.org/bugzilla/show_bug.cgi?id=55920|Bug 55920]])||Quotes removed.||TBD||Netscape - quotes are part of value.||Quotes are not part of value.|| + ||Quoted values in V0 cookies ([[https://bz.apache.org/bugzilla/show_bug.cgi?id=55920|Bug 55920]])||Quotes removed.||TBD||Netscape - quotes are part of value.||Quotes are not part of value.|| - ||Raw JSON in cookie values ([[https://issues.apache.org/bugzilla/show_bug.cgi?id=55921|Bug 55921]])||TBD||TBD||TBD||TBD|| + ||Raw JSON in cookie values ([[https://bz.apache.org/bugzilla/show_bug.cgi?id=55921|Bug 55921]])||TBD||TBD||TBD||TBD|| ||Allow equals in value||Not by default. Allowed if property set.||TBD||Netscape is ambiguous. RFC2109 requires quoting.||Allowed.|| ||Allow separators in V0 names and values||Not by default. Allowed if property set.||TBD||Yes except semi-colon, comma and whitespace.||Never in names. Yes in values except semi-colon, comma and whitespace, double-quote and backslash.|| ||Always add expires||Enabled by default. Disabled by property.||TBD||Netsacpe uses expires. RFC2109 uses Max-Age.||Allows either, none or both.|| @@ -165, +165 @@ ||Allow name only||Disabled by default. Enabled by property.||TBD||Netscape allowed and equals sign expected before empty value. RFC2109 not allowed.||Allowed but equals sign required before empty value.|| Issues to add to the table above - * [[https://issues.apache.org/bugzilla/show_bug.cgi?id=55951|Bug 55951]] regarding UTF-8 encoded values from HTML5 + * [[https://bz.apache.org/bugzilla/show_bug.cgi?id=55951|Bug 55951]] regarding UTF-8 encoded values from HTML5 * Any further issues raised on mailing lists == Generating the Set-Cookie header by Tomcat == --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
