-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jared,
On 5/18/17 1:24 PM, Jared Walker wrote: > Now, I know this is only a work around as the "spec" being used by > this client is ancient. We are considering using the legacy parser > as a stop-gap measure until we can update the external clients with > a new version. Others have answered your core question, but I have another point to add: you can fix these clients by changing your application slightly. Modify your application to re-write your cookie values with a value that does not require any spec-ambiguous decoding. Specifically, use something like base64 encoding so your cookie value is always clean. If a client sends you a cookie value that is not in the "new" format, re-issue the cookie value to them with the new format. Issue all new cookies in the new format (of course). They it doesn't matter whether or not the clients are properly spec-compliant. > 2. The header for LegacyCookieProcesor.java explicitly states: > "This class is not thread-safe." That is a note to direct consumers of the class. Tomcat's use of this class is safe (it would be a pretty bad bug if it were not used in a safe way). - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkfBVkACgkQHPApP6U8 pFhLmw/9Eh04el3+EiDtpaO1gMwpfdo8E0FJ8eA0A0Jz03rgfQpCNRtvFJOAVcaw 8sg1g+WFYgi5fASv48fVk3p6Bccm7GRNTfXayYh/n9KCaW4nJdhnB9qVDSRubhps K/sLG7Jc4+x6tHmBa4V2c6/70whb89nWnmKBxXZ27pO6Bbn1Vd3bj2uVJCRyzS2/ MGlimUpyeXCYHcZMly7VoKJSEdyh8FWevuBZq2L16LvWs6ncVQxkfgNUm4TmxE5o ZvSxy0ThlBtJxYPi0evozVmaqBhzEE9mX/ARqR/qSU0jnka8M1MH2VjtFCLjCQ1A kj5NKqiNIVoyJypDpdk3DSoHZT29wpSULbem0pna/VsFZE9qEwT7FkPt30MpWAls qCcFAI+o+g3tV5Hv1dPGxnHmvH/iXmxC5HkYSlI4igaQ56eSOeFd4NKd3p7UPC1q mR+N+DqjJDDjSXTufebB33bdKbBOVjpq+fc67BQgqXP1fJFuK355lPUpNvmTCUY2 2xiC9cUSuqKx1h1RM3KwOmfDw/g4hUnyLYjabyhoLSr5tIPCIKeVwTTuMd6SvGaY SqDjsex397u5UxdXWj3aIbCPmQXHCB9tFPAk6eHLZpj9y7pDQoeLWhkzRG+slhzE M5vTS9xYM+xXB3Nvh2cswQQVs7F5KV+yiAVEhvJNnmTpLroiuhY= =EA0s -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org