Hi all, I think that the CookieNameValidator has issue that related to the consistency.
The javax.servlet.http.CookieNameValidator has multiple implementations. If the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system property is not specified, the javax.servlet.http.NetscapeValidator will be used in default. The NetscapeValidator allows HTTP separators (excluding semi-colon, comma and white space) in the cookie name. However, the Rfc6265CookieProcessor and the LegacyCookieProcessor do not allow HTTP separators in the cookie name. As a result, although Tomcat sends cookie header that include HTTP separators in the cookie name, the Tomcat can not receive the cookie header. I think that it lacks consistency. The CookieNameValidator and the CookieProcessor should be the consistency. On the other hand, the implementation of CookieNameValidator to use can be switched by the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system property, but can not be switched per Context, like the CookieProcessor. I think that setting of the CookieNameValidator per Context is more useful. Best regards, Kyohei Nakamura
