[I realize this message is over a week old.]
On Fri, 25 Jun 1999, McKisson, Shawn wrote:
> As a follow up to the cookie versions,
>
> try
> cookie1.setVersion(int inVersion);
> and
> int version = cookie1.getVersion();
>
> With version 0 cookies, values should not contain the following:
> whitespace, brackets and parens, equal signs, commas, double quotes,
> slashes, question marks, at signs, colons, and semicolons. Empty
> values may not behave the same way on all browsers.
>
> I believe that version 0 is the default when a cookie is instantiated.
> Version 1 has fever restrictions on the values of the cookies.
OK, some comments, but first some clarifications.
Previously, I talked about what characters are allowed in cookie
values. That wasn't quite accurate, as I should've talked about what
characters are allowed in cookie names *and* values.
Version 0 cookies means cookies according to Netscape's original spec,
which can be found at:
http://www.netscape.com/newsref/std/cookie_spec.html
In the section about the syntax of cookies, here's what it has to say
about valid names and values:
NAME=VALUE
This string is a sequence of characters excluding semi-colon,
comma and white space. If there is a need to place such data in
the name or value, some encoding method such as URL style %XX
encoding is recommended, though no encoding is defined or
required.
(It doesn't specifically exclude '=', but it seems that you will run
into problems if one is in the name or the value, as you won't know
where the delimiter between the name and the value is; one possible
way out of this is to assume that the first '=' is the delimiter.)
Now, what you say above is true, and is taken out of the Cookie.java
source, but it is problematic (altthough, actually, version 1 has
*more* restrictions on the names/values of cookies -- it goes by RFC
2109).
Yes, the JSDK Cookie.java code does have a version parameter, and by
default it is 0. The problem is that the Cookie constructor behaves
the same regardless of the value of the version parameter. In
particular, it checks that the cookie name is a valid HTTP 1.1 token,
a requirement *only* of version 1 cookies (per RFC 2109), not version
0 cookies. (I mentioned this way back when they were taking comments
on the draft JSDK 2.0 spec, but I don't think it's yet been addressed
-- James Duncan Davidson, are you listening? :-) And of course,
setting the version after the cookie has been constructed doesn't do
any good.
Regarding the note about what kinds of values should be used with
version 0 vookies: Such characters (except for semi-colon, comma, and
whitespace) are not disallowed by the Netscape spec, so if version 0
cookies are supposed to be interoperable with that spec (as I believe
is claimed), then those characters can't be disallowed. (I don't
recall what restrictions RFC 2109 places on the values of cookies, but
that isn't really relevant here.)
Of course, if you are setting cookies in the response, then you have
control over what names and values are used. By when it comes to
reading in the cookies from the request (which is handled by the
servlet engine), what names and values are used may be out of your
hands.
Getting back to the original poster's problem, it was that there was
an '=' in the cookie value. I missed that earlier, but it explains
why no IllegalArgumentException's are thrown -- that only happens when
the problem is with the name. I don't know where it was failing
because of the '=' in the value, but it looks like it was failing
somewhere (maybe it's in the servlet engine code and not the
Cookie.java code).
> -----Original Message-----
> From: Milt Epstein [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 24, 1999 2:57 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Zero length array!
>
>
> On Thu, 24 Jun 1999, Emuleomo, Olu (PME) wrote:
>
> > Actually, I have found the Bug!!!
> > The problem is this.
> > The user agent (Netscape 4.6) is sending me 2 cookies.
> > One called "SITEFOO" value "ID=abcdefg"
> > and another, the session cookie with value "somevaluefof"
> > Now, req.getCookies() returns a ZERO LENGTH array because the value in the
> > 1st cookie (ID=abcdefg) contains an equals sign!!! (=)
> > Now, If i shutdown the browser and I edit the cookies file and change the
> > cookie value to ID1abcdefg (ie, I replace the = sign with a 1)
> > EVERYTHING WORKS fine!
> >
> > So, the bug is in req.getCookies()
>
> Well, depending on what version of cookies you're using, certain
> characters are not allowed in cookie values. I had a problem with
> this some time back. By Netscape's original spec (version 0), most
> characters are allowed (with the exception of a few, like ' ' and ',',
> I don't recall exactly). With the new cookie spec (RFC 2109, version
> 1), there are many more disallowed characters, including "=" (the
> restrictions amount to saying that the cookie value must be a valid
> HTTP 1.1 "token"). Technically, the JSDK was supposed to allow
> cookies of both types (and even had a "version" parameter), but it did
> have some problems with that -- it would throw
> IllegalArgumentException's when encountering cookies with the
> disallowed characters. If you take a look at the Cookie.java source,
> you can see all this. Although, I don't know whether this problem has
> been addressed in more recent JSDK versions. Are you getting any
> IllegalArgumentException's?
[ ... ]
Milt Epstein
Research Programmer
Software/Systems Development Group
Computing and Communications Services Office (CCSO)
University of Illinois at Urbana-Champaign (UIUC)
[EMAIL PROTECTED]
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
