Re: Tomcat 8.5.4 and LegacyCookieProcessor

Thu, 18 May 2017 12:17:29 -0700 

On 18/05/2017 19:12, Caldarale, Charles R wrote:

From: jared.paul.wal...@gmail.com [mailto:jared.paul.wal...@gmail.com] On 
Behalf Of Jared Walker
Subject: Tomcat 8.5.4 and LegacyCookieProcessor



We are migrating to the version of tomcat identified in the subject


Before exposing an almost year-old version to the nasty real world, you might 
want to look at this:
         http://tomcat.apache.org/security-8.html
and then pick a newer level (hint: 8.5.15 would be good).


Plus that version includes a fix for the problem the OP is seeing:
https://bz.apache.org/bugzilla/show_bug.cgi?id=60627



1. What are the security and compatibility concerns when using the
legacy processor


Sorry, can't answer that one.


Security concerns - none known (if there were we'd have fixed them)


Compatibility - tends to play better with older browsers. Lots of config 
options to handle various edge cases.


Mark




2. The header for LegacyCookieProcesor.java explicitly states: "This
class is not thread-safe."



Can someone here with background knowledge explain exactly whats not
thread-safe about the processor?  Does this mean you cannot use it for
multiple simultaneous requests (pretty hindering for a server) or does
this mean that you cannot have multiple threads parse the cookie
contents of a request in parallel (which isn't a very normal thing to
do)?


It's neither, really; there is one instance of CookieProcessor per <Context>, and the 
fields within LegacyCookieProcessor that make it not thread-safe are only set (in Tomcat) 
when the <Context> is initialized.  Were you to dynamically reset the fields while 
requests were in progress, you could get in trouble.  The fields are described here:

http://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to