Hi, I started to rewrite the cookie handling for 3.3, and I found some incredible things. First, using "Set-Cookie2:" for v1 cookies ( what's what tomcat3.2 does) is correct according to the latest spec ( RFC2965 ). But so far I found only one browser that recognize this cookie - Lynx. MSIE5, Netscape4.x and Netscape6 are just ignoring the header. Another problem is that the Cookie.java requires the old spec ( RFC 2109). To support the Servlet spec ( that asks for 2109 ) we need to go back to the old RFC, and use the Set-Cookie header for Version=1 Cookies ( and remove Discard - invalid in 2109 ). It seems 2109 is also unsupported by IE5, Netscape4 and 6 - and again seems to work with lynx... The problem with 2109 is that older versions of MSIE do not support it, and probably other browsers will fail too. Please, if you have any idea or more experience with Cookies, please help. The options are: - stick with the current Set-Cookie2 header. This is the latest ( current ) cookie spec, and I don't think future browsers will implement the obsoleted spec. - use RFC2109. The current Cookie.java ( and it seems servlet 2.3 is similar ) doesn't support the new features of 2965 ( port, discard ), and using 2109 is more "compatible" with the servlet specs. I would prefer the first choice - at least it'll not brake older brosers and it may work with future browsers. The second choice doesn't work with old or current browsers, and it's not likely to be supported in future. For the internal ( core ) representation, we should support the new 2965 attributes anyway. What do you think? Is anyone using V1 cookies ? Costin
