Cookie handling is fundamentally a complete mess. Specifications exist but are not fully implemented, are not consistent with related specifications, etc.
Having tried to sort this out the last time around and having read Jeremy's great work on documenting where we stand at the present moment, it often feels like it wouldn't be too hard to make a case that just about any cookie name or value that isn't an token (as per RFC2616) is either valid or invalid depending on which specification(s) you choose to read. I'd strongly encourage anyone thinking about commenting further on this thread to take the time to read the wiki page [1] where the Tomcat committers (and Jeremy in particular) are currently trying to figure out exactly how Tomcat should handle cookies in the future. Mark [1] http://wiki.apache.org/tomcat/Cookies --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org