Hi all,
This is a follow up to thread "Cookies are broken in 6.0.16?"
http://marc.info/?t=120253944500001&r=2&w=2
Before submitting a bug report on the matter exposed below I
wanted to open a discussion with Tomcat developpers about it.
Summary of the above thread :
- Problem :
If a webapp is using an equal sign in the value of a cookie,
Tomcat alter the cookie value.
- Explanation :
For security reason a change has been introduced in 5.5.26 and
6.0.16 to cookie management regarding the equal sign.
- Solution suggested by Filip Hanik in the thread:
All applications should be modified to use cookie.setVersion(1)
if they want to use equal sign in their value.
Using version 1 cookie surrounds all cookies attributes
with quotes and leave the value intact.
First of all, I'd like to point out that breaking existing cookie
behavior and requiring applications to be updated in order to
work properly is probably not the best choice ...
Clients tend to think twice before upgrading their application
to a more recent version and it is not a process they want to
perform every day...
In our webapp, we use an equal sign in a cookie's value.
Even though all other application server we use (BEA Weblogic,
IBM WebSphere) do not have the above problem. I have decided
not to brag too much about this decision for Tomcat and I was
in the process of updating our CMS to use cookie version 1...
but...
... it does not work with IE 7.
Why ?
Because a path is specified in our cookie. And Tomcat also
surrounds the path with quotes, which is not accepted by IE 7
(probably other version of IE too, I have not tested yet).
Here is a simple test case.
Place this jsp in a directory "subdir" inside a ROOT webapp.
<%
Cookie cookie1 = new Cookie("Cookie1", "Hello World 1!");
Cookie cookie2 = new Cookie("Cookie2", "Hello World 2!");
cookie2.setVersion(1);
Cookie cookie3 = new Cookie("Cookie3", "Hello World 3!");
cookie3.setPath("/subdir");
Cookie cookie4 = new Cookie("Cookie4", "Hello World 4!");
cookie4.setPath("/subdir");
cookie4.setVersion(1);
response.addCookie(cookie1);
response.addCookie(cookie2);
response.addCookie(cookie3);
response.addCookie(cookie4);
%>
Here is the Tomcat response will output :
Set-Cookie: Cookie1="Hello World 1!"
Set-Cookie: Cookie2="Hello World 2!"; Version=1
Set-Cookie: Cookie3="Hello World 3!"; Path=/subdir
Set-Cookie: Cookie4="Hello World 4!"; Version=1; Path="/subdir"
==> IE 7 does not send back the cookie #4.
If using fiddler, we alter the response that way :
Set-Cookie: Cookie1="Hello World 1!"
Set-Cookie: Cookie2="Hello World 2!"; Version=1
Set-Cookie: Cookie3="Hello World 3!"; Path=/subdir
Set-Cookie: Cookie4="Hello World 4!"; Version=1; Path=/subdir
==> IE 7 accepts all the cookie
I can understand the security reasons behind the modification
requiring quotes around cookies' attribute value.
So my questions are :
- What could be done in Tomcat to fix this ?
- Is the security problem real if it is why do other
application server vendors do not have this behavior ?
- As it break older application and it is not compatible
with IE 7 in some circumstances. Do you really think this
modification should be kept that way ?
Thanks in advance for your replies!
Best regards,
Olivier Jaquemet
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
