On 06/09/2016 20:57, Robert Winch wrote: > Mark, > > Thanks again for your detailed response. > > In addition to the STRICT_SERVLET_COMPLIANCE flag, would you consider > supporting the older RFC if a cookie version was explicitly set on the > Cookie?
If applications want to explicitly send version 1 cookies then they'll need to configure the LegacyCookieProcessor. Given that RFC6265 essentially documents the current browser behaviour and also that RFC6265 says clients should ignore the version attribute I'd be surprised if any but a tiny minority of applications actually needed to send the version attribute. I guess if someone has written a custom client that actually implements RFC2109 they'd need this but it is going to be that unusual. Mark > > Cheers, > Rob > > On Tue, Sep 6, 2016 at 1:21 PM, Mark Thomas <ma...@apache.org> wrote: > >> On 06/09/2016 19:02, Robert Winch wrote: >>> Mark, >>> >>> Thank you for the detailed response. >>> >>> I'm looking to assess the full impact of applications that might choose >> to >>> use LegacyCookieProcessor. Can you elaborate on why using >>> LegacyCookieProcessor is a bad idea? >> >> It isn't that LegacyCookieProcessor is bad, it just doesn't reflect the >> current reality as well as the RFC6265 processor. >> >> As an aside, the Servlet spec implies strict adherence to RFC2109. That >> would be fairly messy. From memory, it breaks interoperability with >> Google and IE, as well as a bunch of other issues. >> >> Rfc6262CookieProcessor is better because: >> - it is a much closer match to how browsers actually behave >> - it handles UTF-8 (this is actually a deviation from RFC6265) >> >> To quote from the intro of RFC6265: >> <quote> >> Prior to this document, there were at least three descriptions of >> cookies: the so-called "Netscape cookie specification" [Netscape], >> RFC 2109 [RFC2109], and RFC 2965 [RFC2965]. However, none of these >> documents describe how the Cookie and Set-Cookie headers are actually >> used on the Internet (see [Kri2001] for historical context). >> </quote> >> >> The potential downside is that Tomcat is strict in what it allows >> applications to send. If applications don't adhere to RFC6265 then they >> will see exceptions around cookie handling. >> >>> Are you aware of other containers that also use RFC6265? >> >> I haven't undertaken any sort of survey. >> >> To date, the only problem we have seen with RFC6265 that comes to mind >> is that Tomcat rejects domain values with leading '.' when an >> application creates a cookie. We could be lenient here but that goes >> against our general philosophy of not adding workarounds for bad >> application behaviour expect in exception circumstances (and this isn't >> close to this point so far). >> >> Mark >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
