You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/02/27 14:04:09 UTC
svn commit: r1784565 - in /tomcat/trunk: java/org/apache/tomcat/util/http/CookieProcessorBase.java java/org/apache/tomcat/util/http/LegacyCookieProcessor.java java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java webapps/docs/changelog.xml

Author: markt
Date: Mon Feb 27 14:04:09 2017
New Revision: 1784565

URL: http://svn.apache.org/viewvc?rev=1784565&view=rev
Log:
Modify the cookie header generated by the Rfc6265CookieProcessor so it always sends an Expires attribute as well as a Max-Age attribute to avoid problems with Microsoft browsers that do not support the Max-Age attribute.
Note the code that sets the Expires attribute was refactored from the LegacyCookieProcessor into a new, common base class. 

Added:
    tomcat/trunk/java/org/apache/tomcat/util/http/CookieProcessorBase.java
Modified:
    tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
    tomcat/trunk/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java
    tomcat/trunk/webapps/docs/changelog.xml

Added: tomcat/trunk/java/org/apache/tomcat/util/http/CookieProcessorBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/CookieProcessorBase.java?rev=1784565&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/CookieProcessorBase.java (added)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/CookieProcessorBase.java Mon Feb 27 14:04:09 2017
@@ -0,0 +1,45 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.tomcat.util.http;
+
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Locale;
+import java.util.TimeZone;
+
+public abstract class CookieProcessorBase implements CookieProcessor {
+
+    private static final String COOKIE_DATE_PATTERN = "EEE, dd-MMM-yyyy HH:mm:ss z";
+
+    protected static final ThreadLocal<DateFormat> COOKIE_DATE_FORMAT =
+        new ThreadLocal<DateFormat>() {
+        @Override
+        protected DateFormat initialValue() {
+            DateFormat df =
+                new SimpleDateFormat(COOKIE_DATE_PATTERN, Locale.US);
+            df.setTimeZone(TimeZone.getTimeZone("GMT"));
+            return df;
+        }
+    };
+
+    protected static final String ANCIENT_DATE;
+
+    static {
+        ANCIENT_DATE = COOKIE_DATE_FORMAT.get().format(new Date(10000));
+    }
+}

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java?rev=1784565&r1=1784564&r2=1784565&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java Mon Feb 27 14:04:09 2017
@@ -18,13 +18,9 @@ package org.apache.tomcat.util.http;
 
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
-import java.text.DateFormat;
 import java.text.FieldPosition;
-import java.text.SimpleDateFormat;
 import java.util.BitSet;
 import java.util.Date;
-import java.util.Locale;
-import java.util.TimeZone;
 
 import javax.servlet.http.Cookie;
 
@@ -44,7 +40,7 @@ import org.apache.tomcat.util.res.String
  * @author Costin Manolache
  * @author kevin seguin
  */
-public final class LegacyCookieProcessor implements CookieProcessor {
+public final class LegacyCookieProcessor extends CookieProcessorBase {
 
     private static final Log log = LogFactory.getLog(LegacyCookieProcessor.class);
 
@@ -62,26 +58,10 @@ public final class LegacyCookieProcessor
             '\t', ' ', '\"', '(', ')', ',', ':', ';', '<', '=', '>', '?', '@',
             '[', '\\', ']', '{', '}' };
 
-    private static final String COOKIE_DATE_PATTERN = "EEE, dd-MMM-yyyy HH:mm:ss z";
-    private static final ThreadLocal<DateFormat> COOKIE_DATE_FORMAT =
-        new ThreadLocal<DateFormat>() {
-        @Override
-        protected DateFormat initialValue() {
-            DateFormat df =
-                new SimpleDateFormat(COOKIE_DATE_PATTERN, Locale.US);
-            df.setTimeZone(TimeZone.getTimeZone("GMT"));
-            return df;
-        }
-    };
-
-    private static final String ANCIENT_DATE;
-
     static {
         for (char c : V0_SEPARATORS) {
             V0_SEPARATOR_FLAGS.set(c);
         }
-
-        ANCIENT_DATE = COOKIE_DATE_FORMAT.get().format(new Date(10000));
     }
 
     private final boolean STRICT_SERVLET_COMPLIANCE =

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java?rev=1784565&r1=1784564&r2=1784565&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java Mon Feb 27 14:04:09 2017
@@ -18,7 +18,9 @@ package org.apache.tomcat.util.http;
 
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
+import java.text.FieldPosition;
 import java.util.BitSet;
+import java.util.Date;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
@@ -27,7 +29,7 @@ import org.apache.tomcat.util.buf.Messag
 import org.apache.tomcat.util.http.parser.Cookie;
 import org.apache.tomcat.util.res.StringManager;
 
-public class Rfc6265CookieProcessor implements CookieProcessor {
+public class Rfc6265CookieProcessor extends CookieProcessorBase {
 
     private static final Log log = LogFactory.getLog(Rfc6265CookieProcessor.class);
 
@@ -98,7 +100,9 @@ public class Rfc6265CookieProcessor impl
     @Override
     public String generateHeader(javax.servlet.http.Cookie cookie) {
 
-        StringBuilder header = new StringBuilder();
+        // Can't use StringBuilder due to DateFormat
+        StringBuffer header = new StringBuffer();
+
         // TODO: Name validation takes place in Cookie and cannot be configured
         //       per Context. Moving it to here would allow per Context config
         //       but delay validation until the header is generated. However,
@@ -112,12 +116,28 @@ public class Rfc6265CookieProcessor impl
             header.append(value);
         }
 
-        // RFC 6265 prefers Max-Age to Expires so use Max-Age
+        // RFC 6265 prefers Max-Age to Expires but... (see below)
         int maxAge = cookie.getMaxAge();
         if (maxAge > -1) {
             // Negative Max-Age is equivalent to no Max-Age
             header.append(";Max-Age=");
             header.append(maxAge);
+
+            // Microsoft IE and Microsoft Edge don't understand Max-Age so send
+            // expires as well. Without this, persistent cookies fail with those
+            // browsers. See http://tomcat.markmail.org/thread/g6sipbofsjossacn
+
+            // Wdy, DD-Mon-YY HH:MM:SS GMT ( Expires Netscape format )
+            header.append ("; Expires=");
+            // To expire immediately we need to set the time in past
+            if (maxAge == 0) {
+                header.append(ANCIENT_DATE);
+            } else {
+                COOKIE_DATE_FORMAT.get().format(
+                        new Date(System.currentTimeMillis() + maxAge * 1000L),
+                        header,
+                        new FieldPosition(0));
+            }
         }
 
         String domain = cookie.getDomain();

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1784565&r1=1784564&r2=1784565&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Feb 27 14:04:09 2017
@@ -175,6 +175,13 @@
         expectation is that configuration will be performed via a JSSE provider
         specific mechanisms. (markt)
       </fix>
+      <fix>
+        Modify the cookie header generated by the
+        <code>Rfc6265CookieProcessor</code> so it always sends an
+        <code>Expires</code> attribute as well as a <code>Max-Age</code>
+        attribute to avoid problems with Microsoft browsers that do not support
+        the <code>Max-Age</code> attribute. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org