You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/12/12 08:15:00 UTC

[Bug 55867] New: When Cookie value is empty, double quotes are added

https://issues.apache.org/bugzilla/show_bug.cgi?id=55867

            Bug ID: 55867
           Summary: When Cookie value is empty, double quotes are added
           Product: Tomcat 7
           Version: 7.0.41
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Servlet & JSP API
          Assignee: dev@tomcat.apache.org
          Reporter: shilpik@adobe.com

When Cookie value is empty, double quotes are added. Example if cookie is
following -

name = test
value = 

the resultant cookie in the client is test = ""

Tried using org.apache.tomcat.util.http.ServerCookie.ALLOW_NAME_ONLY property,
but it has no effect.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55867] When Cookie value is empty, double quotes are added

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55867

Christopher Schultz <ch...@christopherschultz.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> ---
RFC2109 says that values are tokens or quoted-values, and whitespace is allowed
around tokens, equals signs, etc. Using value="" seems entirely appropriate.

RFC2109 also says that the cookie value is opaque to the client and only has
meaning to the server. Since the server decided to add the double-quotes, it
should be able to handle the cookie value coming back to it.

Why is this a bug?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55867] When Cookie value is empty, double quotes are added

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55867

--- Comment #2 from Shilpi <sh...@adobe.com> ---
This creates a problem if the cookie value is validated or checked in some
other system/server/component. As there an empty cookie was expected. 

org.apache.tomcat.util.http.ServerCookie.ALLOW_NAME_ONLY property is honored
while reading request cookies, Can we also not use the same while setting
cookies?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55867] When Cookie value is empty, double quotes are added

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55867

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Generally Tomcat follows the principle of being flexible in what it accepts and
strict about what it sends. This means that some bending of the specifications
is permitted when processing input where there is no risk of any harm being
done but anything sent by Tomcat will always be specification compliant.

None of the cookie specs I am aware of allow name only cookies so while Tomcat
can optionally be configured to accept them, Tomcat will never send one. Note
that even RFC6265 states that such a cookie should be ignored. I'll also
mention at this point that Tomcat takes a slightly less tolerant view of
non-compliant cookies (requiring an explicit option to be set to process them)
due to past security issues involving malformed cookies.

If some other system can't handle a specification compliant cookie with a
name-value pair of test="" then that is a bug in that system. The Tomcat
project generally avoids adding workarounds for 3rd party components that can't
process specification compliant responses.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org