header value too long - 400 error - is that good?

[Slawek Zachcial <sl...@yahoo.com>]

Hi,

I have the following problem. I think it's more for
Tomcat developers than for users so I'm posting it
here.

Let's say you have three servers (not Tomcat :-).
dev1.toto.com, dev2.toto.com, dev3.toto.com. Each of
these servers sets a very long permanent cookie on
client's machine. The client uses all three servers.
Now, let's say you have your great app running on
Tomcat: mytomcatapp.toto.com.

Finally let's say the cookie domain for devX is set to
toto.com.

So all the cookies (from devX) are sent back to your
tomcat app when you try to access its pages. 

In that case tomcat generates HTTP 400. I checked in
the source code and it seems that the header value
size limit is set to 4K.

The bottom line is that some other web applications
may prevent your app users to access your tomcat app.
I had that experience :-(((.

Maybe the "400 error" behaviour should be slightly
modified. Instead of sending this error maybe only 4K
should be read from header value? But I guess there
may be some other concerns behind the scene (ex.
security).

cheers,
slawek

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: header value too long - 400 error - is that good?

[Bill Barker <wb...@wilshire.com>]

>
> In that case tomcat generates HTTP 400. I checked in
> the source code and it seems that the header value
> size limit is set to 4K.
>
Could you please give more infromation about your setup.  In particular, the
version of Tomcat that you are using, and if applicable, the Connecter you
are using (e.g Apache, IIS).


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>