https://issues.apache.org/bugzilla/show_bug.cgi?id=55867
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Generally Tomcat follows the principle of being flexible in what it accepts and
strict about what it sends. This means that some bending of the specifications
is permitted when processing input where there is no risk of any harm being
done but anything sent by Tomcat will always be specification compliant.
None of the cookie specs I am aware of allow name only cookies so while Tomcat
can optionally be configured to accept them, Tomcat will never send one. Note
that even RFC6265 states that such a cookie should be ignored. I'll also
mention at this point that Tomcat takes a slightly less tolerant view of
non-compliant cookies (requiring an explicit option to be set to process them)
due to past security issues involving malformed cookies.
If some other system can't handle a specification compliant cookie with a
name-value pair of test="" then that is a bug in that system. The Tomcat
project generally avoids adding workarounds for 3rd party components that can't
process specification compliant responses.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
