[
http://jira.xwiki.org/jira/browse/XWIKI-2119?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergiu Dumitriu closed XWIKI-2119.
----------------------------------
Fix Version/s: 1.1.3
Resolution: Fixed
Fixed in rev. 7764
Teste in Tomcat 6.0.14 and 6.0.16, and in Jetty
> Authentication fails with current tomcat versions
> -------------------------------------------------
>
> Key: XWIKI-2119
> URL: http://jira.xwiki.org/jira/browse/XWIKI-2119
> Project: XWiki Core
> Issue Type: Bug
> Components: Authentication and Rights Management
> Affects Versions: 1.3 M1, 1.2.2
> Reporter: Ralf Dotzert
> Assigned To: Sergiu Dumitriu
> Priority: Blocker
> Fix For: 1.3 M2, 1.1.3
>
>
> In Tomcat version 6.0.14 and 5.5.26 the handling of cookies was changed, to
> fix some security issues.
> This leads now to the effect, that the login fails because Xwiki detects
> tampered cookies.
> Xwiki logs "WARN xwiki.MyPersistentLoginManager - Login cookie validation
> hash mismatch! Cookies have been tampered with
> " and login fails without any error message.
> Detailed description of the changes is discussed in this thread:
> http://www.nabble.com/Cookies-are-broken-in-6.0.16--to15369118.html
> I have just copied the relevant part of this thread, here ist is explained,
> that in the new tomcat version, the cookie handling was changed to make it
> compliant to the specs.
> Xwiki has now to be changed to use Cookie Version 1 instead of the default 0.
> Just add the following line
> cookie.setVersion(1);
> <<<<<<<<<<<<<<<<<This is the relevant snippet out of the thread mentioned
> above <<<<<<
> The changes are documented in the change log. As a result of
> a couple of minor security issues (see
> http://tomcat.apache.org/security-6.html) the cookie handling code has been
> tightened up to make it spec compliant.
> By default the servlet spec uses version 0 cookies. The name value pairs
> are defined as:
> <spec-quote>
> NAME=VALUE
> This string is a sequence of characters excluding semi-colon, comma and
> white space. If there is a need to place such data in the name or value,
> some encoding method such as URL style %XX encoding is recommended, though
> no encoding is defined or required.
> </spec-quote>
> The difficulty here is that although '=' is the delimiter between NAME and
> VALUE there is no need to encode it if it appears in the name or the value.
> This causes some ambiguities when parsing a header of the form:
> Set-Cookie: foo=bar=bartoo
> Is the name 'foo' or 'foo=bar'? Is the value 'bar=bartoo' or 'bartoo'?
> The changes to the cookie parsing mean the second '=' and any text beyond
> it are now ignored.
> If you set the cookie version to 1 then the quoting will be applied where
> necessary and your example will work as you intend.
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.xwiki.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
notifications mailing list
notifications@xwiki.org
http://lists.xwiki.org/mailman/listinfo/notifications
