Hi all, This is a follow up to thread "Cookies are broken in 6.0.16?" http://marc.info/?t=120253944500001&r=2&w=2
Before submitting a bug report on the matter exposed below I wanted to open a discussion with Tomcat developpers about it. Summary of the above thread : - Problem : If a webapp is using an equal sign in the value of a cookie, Tomcat alter the cookie value. - Explanation : For security reason a change has been introduced in 5.5.26 and 6.0.16 to cookie management regarding the equal sign. - Solution suggested by Filip Hanik in the thread: All applications should be modified to use cookie.setVersion(1) if they want to use equal sign in their value. Using version 1 cookie surrounds all cookies attributes with quotes and leave the value intact. First of all, I'd like to point out that breaking existing cookie behavior and requiring applications to be updated in order to work properly is probably not the best choice ... Clients tend to think twice before upgrading their application to a more recent version and it is not a process they want to perform every day... In our webapp, we use an equal sign in a cookie's value. Even though all other application server we use (BEA Weblogic, IBM WebSphere) do not have the above problem. I have decided not to brag too much about this decision for Tomcat and I was in the process of updating our CMS to use cookie version 1... but... ... it does not work with IE 7. Why ? Because a path is specified in our cookie. And Tomcat also surrounds the path with quotes, which is not accepted by IE 7 (probably other version of IE too, I have not tested yet). Here is a simple test case. Place this jsp in a directory "subdir" inside a ROOT webapp. <% Cookie cookie1 = new Cookie("Cookie1", "Hello World 1!"); Cookie cookie2 = new Cookie("Cookie2", "Hello World 2!"); cookie2.setVersion(1); Cookie cookie3 = new Cookie("Cookie3", "Hello World 3!"); cookie3.setPath("/subdir"); Cookie cookie4 = new Cookie("Cookie4", "Hello World 4!"); cookie4.setPath("/subdir"); cookie4.setVersion(1); response.addCookie(cookie1); response.addCookie(cookie2); response.addCookie(cookie3); response.addCookie(cookie4); %> Here is the Tomcat response will output : Set-Cookie: Cookie1="Hello World 1!" Set-Cookie: Cookie2="Hello World 2!"; Version=1 Set-Cookie: Cookie3="Hello World 3!"; Path=/subdir Set-Cookie: Cookie4="Hello World 4!"; Version=1; Path="/subdir" ==> IE 7 does not send back the cookie #4. If using fiddler, we alter the response that way : Set-Cookie: Cookie1="Hello World 1!" Set-Cookie: Cookie2="Hello World 2!"; Version=1 Set-Cookie: Cookie3="Hello World 3!"; Path=/subdir Set-Cookie: Cookie4="Hello World 4!"; Version=1; Path=/subdir ==> IE 7 accepts all the cookie I can understand the security reasons behind the modification requiring quotes around cookies' attribute value. So my questions are : - What could be done in Tomcat to fix this ? - Is the security problem real if it is why do other application server vendors do not have this behavior ? - As it break older application and it is not compatible with IE 7 in some circumstances. Do you really think this modification should be kept that way ? Thanks in advance for your replies! Best regards, Olivier Jaquemet --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]