You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Michael Mikhulya (JIRA)" <ji...@apache.org> on 2009/11/13 13:45:39 UTC
[jira] Created: (WICKET-2577) Cookies with special symbols in its
values aren't properly saved
Cookies with special symbols in its values aren't properly saved
----------------------------------------------------------------
Key: WICKET-2577
URL: https://issues.apache.org/jira/browse/WICKET-2577
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.4.4
Reporter: Michael Mikhulya
Cookies with special symbols in its values aren't properly saved and as result of it aren't properly loaded.
The real example is usage of email name as a login in a login form with "remember me" feature.
The problem is that email name contains '@' symbol which is inside "tspecials" set according to rfc2068 (2.2), and so can't be used in cookie value.
The possible solution to this issue is to use "quoted-string" instead of "token", as described in rfc2109 (4.1).
To workaround this problem I override getValuePersister class of a Form class:
@Override
protected IValuePersister getValuePersister() {
return new CookieValuePersister() {
@Override
public void save(String key, String value) {
super.save(key, "\"" + value + "\"");
}
};
}
Without this workaround loaded value is just "username" instead of "username@domain.name".
I believe the proper place to fix it in a Cookie class, but probably there are some historical reasons to don't follow RFC.
E.g. in a jetty servlet-api-2.5-6.1.9 you can see following code:
// Note -- disabled for now to allow full Netscape compatibility
// from RFC 2068, token special case characters
//
// private static final String tspecials = "()<>@,;:\\\"/[]?={} \t";
private static final String tspecials = ",; ";
But issue exists in tomcat implementation of servlet-api too and also depends on browser.
So I suggest to add workaround in wicket. Probably we should add quotes only if tspecials are contained inside cookie value, but in my workaround I don't care about two extra chars and also don't check whether value is already quoted.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-2577) Cookies with special symbols in its
values aren't properly saved
Posted by "Michael Mikhulya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12778339#action_12778339 ]
Michael Mikhulya commented on WICKET-2577:
------------------------------------------
I would like to note, that issue appears when org.apache.catalina. STRICT_SERVLET_COMPLIANCE is true (this option is required by PersistentManager).
In other way tomcat adds quotes on its own.
> Cookies with special symbols in its values aren't properly saved
> ----------------------------------------------------------------
>
> Key: WICKET-2577
> URL: https://issues.apache.org/jira/browse/WICKET-2577
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.4
> Reporter: Michael Mikhulya
>
> Cookies with special symbols in its values aren't properly saved and as result of it aren't properly loaded.
> The real example is usage of email name as a login in a login form with "remember me" feature.
> The problem is that email name contains '@' symbol which is inside "tspecials" set according to rfc2068 (2.2), and so can't be used in cookie value.
> The possible solution to this issue is to use "quoted-string" instead of "token", as described in rfc2109 (4.1).
> To workaround this problem I override getValuePersister class of a Form class:
> @Override
> protected IValuePersister getValuePersister() {
> return new CookieValuePersister() {
> @Override
> public void save(String key, String value) {
> super.save(key, "\"" + value + "\"");
> }
> };
> }
> Without this workaround loaded value is just "username" instead of "username@domain.name".
> I believe the proper place to fix it in a Cookie class, but probably there are some historical reasons to don't follow RFC.
> E.g. in a jetty servlet-api-2.5-6.1.9 you can see following code:
> // Note -- disabled for now to allow full Netscape compatibility
> // from RFC 2068, token special case characters
> //
> // private static final String tspecials = "()<>@,;:\\\"/[]?={} \t";
> private static final String tspecials = ",; ";
> But issue exists in tomcat implementation of servlet-api too and also depends on browser.
> So I suggest to add workaround in wicket. Probably we should add quotes only if tspecials are contained inside cookie value, but in my workaround I don't care about two extra chars and also don't check whether value is already quoted.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (WICKET-2577) Cookies with special symbols in its
values aren't properly saved
Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Vaynberg resolved WICKET-2577.
-----------------------------------
Assignee: Igor Vaynberg
Resolution: Won't Fix
see WICKET-2842 for how to make this work
> Cookies with special symbols in its values aren't properly saved
> ----------------------------------------------------------------
>
> Key: WICKET-2577
> URL: https://issues.apache.org/jira/browse/WICKET-2577
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.4
> Reporter: Michael Mikhulya
> Assignee: Igor Vaynberg
>
> Cookies with special symbols in its values aren't properly saved and as result of it aren't properly loaded.
> The real example is usage of email name as a login in a login form with "remember me" feature.
> The problem is that email name contains '@' symbol which is inside "tspecials" set according to rfc2068 (2.2), and so can't be used in cookie value.
> The possible solution to this issue is to use "quoted-string" instead of "token", as described in rfc2109 (4.1).
> To workaround this problem I override getValuePersister class of a Form class:
> @Override
> protected IValuePersister getValuePersister() {
> return new CookieValuePersister() {
> @Override
> public void save(String key, String value) {
> super.save(key, "\"" + value + "\"");
> }
> };
> }
> Without this workaround loaded value is just "username" instead of "username@domain.name".
> I believe the proper place to fix it in a Cookie class, but probably there are some historical reasons to don't follow RFC.
> E.g. in a jetty servlet-api-2.5-6.1.9 you can see following code:
> // Note -- disabled for now to allow full Netscape compatibility
> // from RFC 2068, token special case characters
> //
> // private static final String tspecials = "()<>@,;:\\\"/[]?={} \t";
> private static final String tspecials = ",; ";
> But issue exists in tomcat implementation of servlet-api too and also depends on browser.
> So I suggest to add workaround in wicket. Probably we should add quotes only if tspecials are contained inside cookie value, but in my workaround I don't care about two extra chars and also don't check whether value is already quoted.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.