You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2008/12/15 22:46:49 UTC
DO NOT REPLY [Bug 46403] New: Persistent cookies written by 6.0.18
do not work in Internet Explorer or Safari
https://issues.apache.org/bugzilla/show_bug.cgi?id=46403
Summary: Persistent cookies written by 6.0.18 do not work in
Internet Explorer or Safari
Product: Tomcat 6
Version: 6.0.18
Platform: PC
URL: http://cephas.net/blog/2008/11/18/tomcat-6018-version-1-
cookies-acegi-remember-me-and-ie/
OS/Version: Linux
Status: NEW
Severity: major
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: matt@editme.com
This blog post shows up in Google when searching for this problem, and is a
better explanation that I can give here:
http://cephas.net/blog/2008/11/18/tomcat-6018-version-1-cookies-acegi-remember-me-and-ie/
To summarize, in 6.0.18, the way Tomcat writes persistent cookie headers was
changed from:
Set-Cookie:
yankeessuck=YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw==;
Expires=Thu, 19-Nov-2009 02:29:29 GMT;
to:
Set-Cookie:
yankeessuck="YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw==";
Version=1; Max-Age=31536000;
The value was enclosed in quotes, a "Version=1" parameter was added, and the
Expires parameter was replaced with a Max-Age parameter.
Though cookies are written correctly to specification, Internet Explorer (6 and
7) and Safari do not support the Max-Age parameter. As a result, an application
writing persistent cookies in this version of Tomcat won't work for Internet
Explorer or Safari.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 46403] Persistent cookies written by 6.0.18 do not
work in Internet Explorer or Safari
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46403
--- Comment #5 from novoj <no...@gmail.com> 2010-05-26 10:59:30 EDT ---
The problem is also with Firefox 3.6.3 and Tomcat 6.0.26. When reading Cookie
via Firefox API:
function getCookie(name, host) {
var cookieManager =
Cc["@mozilla.org/cookiemanager;1"].getService(Ci.nsICookieManager);
var iter = cookieManager.enumerator, {
nsICookie
}
= Ci;
while (iter.hasMoreElements()) {
var cookie = iter.getNext();
if (cookie instanceof nsICookie && cookie.name == name && cookie.host
== host) {
return cookie.value;
}
}
return null;
}
It reads quoted values with quotes around them - which is obviously wrong.
Seems, that only Tomcat respects the RFC :(.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 46403] Persistent cookies written by 6.0.18 do not
work in Internet Explorer or Safari
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46403
--- Comment #1 from Matt Wiseley <ma...@editme.com> 2008-12-15 17:52:34 PST ---
Created an attachment (id=23027)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=23027)
Simple JSP that reproduces the behavior.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 46403] Persistent cookies written by 6.0.18 do not
work in Internet Explorer or Safari
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46403
--- Comment #2 from Matt Wiseley <ma...@editme.com> 2008-12-15 19:26:41 PST ---
Created an attachment (id=23028)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=23028)
Patch to always include Expires parameter regardless of version
This patch adds the Expires cookie parameter in addition to the Max-Age
parameter. Though not technically to the cookies spec, it works. Tested in
Google Chrome, Firefox 3.0 and IE7.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 46403] Persistent cookies written by 6.0.18 do not
work in Internet Explorer or Safari
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46403
--- Comment #3 from Mark Thomas <ma...@apache.org> 2008-12-23 05:19:48 PST ---
For completeness, the cookie parsing changes were required to correct various
security vulnerabilities.
I really don't like the idea of adding work arounds to Tomcat for bugs in other
software but I don't see a choice here.
I have applied a variation of your patch to trunk and proposed it for 6.0.x.
The variation is making the addition of the expires header optional.
There are occassional ASF/MS get togethers where issues like this can be raised
(and hopefully fixed). I have a list of things to raise at the next one and
I've added this to it. As far as I am aware there are no dates set for the next
get together so don't expect an IE fix any time soon.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 46403] Persistent cookies written by 6.0.18 do not
work in Internet Explorer or Safari
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46403
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #4 from Mark Thomas <ma...@apache.org> 2008-12-27 11:52:36 PST ---
This has been fixed in 6.0.x and will be included in 6.0.19 onwards.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org