Hi all, I created a Bugzilla issue related to the previous mail. https://bz.apache.org/bugzilla/show_bug.cgi?id=59655
What do you think this? Best regards, Kyohei Nakamura 2016-05-23 15:48 GMT+09:00 Kyohei Nakamura <nakamura.kyohei....@gmail.com>: > Hi all, > > I think that the CookieNameValidator has issue that related to the > consistency. > > The javax.servlet.http.CookieNameValidator has multiple implementations. > If the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system > property is not specified, the javax.servlet.http.NetscapeValidator will be > used in default. > > The NetscapeValidator allows HTTP separators (excluding semi-colon, comma > and white space) in the cookie name. > However, the Rfc6265CookieProcessor and the LegacyCookieProcessor do not > allow HTTP separators in the cookie name. > As a result, although Tomcat sends cookie header that include HTTP > separators in the cookie name, the Tomcat can not receive the cookie header. > I think that it lacks consistency. > The CookieNameValidator and the CookieProcessor should be the consistency. > > On the other hand, the implementation of CookieNameValidator to use can be > switched by the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING > system property, but can not be switched per Context, like the > CookieProcessor. > I think that setting of the CookieNameValidator per Context is more useful. > > Best regards, > Kyohei Nakamura > >