On 24/05/2011 21:25, Dan Checkoway wrote: > This is super low priority, since I assume somebody is passing junk in a > Set-Cookie header, but I'd love to get to the bottom of it (I'm of the "no > request left behind" mindset), and I'm still in the dark about what Tomcat > doesn't like about what it's being passed. > > Can you guys shed any light on what might evoke that "Control character in > cookie value or attribute" error in 7.0.14?
One of the huge benefits of Tomcat is that it is open source so, if you know where to look, you can just check the source code to see why Tomcat behaves the way it does. You have a stack trace so you know the file and line number. Take a look at line 192 (and the couple of lines above it) in the following file: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/CookieSupport.java?view=annotate That file is from svn trunk but it hasn't changed since 7.0.14. > I still can't get my head wrapped around which ServerCookie.* property(ies) > to tweak to try to figure this out. Those aren't going to help you. If a control character is detected in the cookie header then the whole request is toast. Mark > > Thanks, > Dan > > On Fri, May 20, 2011 at 4:56 PM, Dan Checkoway <dchecko...@gmail.com> wrote: > >> Ah, thanks! To be honest I'm not sure which of those properties would work >> around the "Control character in cookie value or attribute" exception. >> >> Maybe org.apache.tomcat.util.http. ServerCookie.FWD_SLASH_IS_SEPARATOR? I >> can't tell if "Control character" means a literal non-printable character >> (i.e. something between 0x00 and 0x1F), or something else like a \ getting >> in there, like foo\nbar. >> >> Don't suppose it could be unicode in a cookie value that's causing this? >> Which seems more plausible to you, 0x00 or unicode? >> >> And any specific suggestions for config tweaks would be much appreciated! >> >> Dan >> >> >> >> On Fri, May 20, 2011 at 3:56 PM, Caldarale, Charles R < >> chuck.caldar...@unisys.com> wrote: >>> >>>> From: Dan Checkoway [mailto:dchecko...@gmail.com] >>>> Subject: Control character in cookie value or attribute >>> >>>> I honestly have no idea if it's related to the tomcat version >>>> or some legitimately wacked out Set-Cookie header coming in. >>> >>> Both, actually. Tomcat 7 is bit more picky about what it accepts for >> cookies. You can control the behavior with the cookie-related properties >> listed here: >>> >>> >> http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Specification >>> >>> - Chuck >>> >>> >>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you received >> this in error, please contact the sender and delete the e-mail and its >> attachments from all computers. >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
