You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Tessler, Micah (M.B.)" <mt...@ford.com> on 2015/11/10 20:53:30 UTC

org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE Explanation

I am trying to understand the reasoning behind needing this setting: org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE=true
When set to true, my cookie values can contain the '=' character.  
I assume that Tomcat did not implement this setting which defaults to false  for no reason.
I'd like to understand the cost/downside of turning this on. 
The upside is that I can accept valid cookies that aren't truncated.

I can't find the relevant portion of rfc6265 that disallows '=' character in cookie values, so I don't think that's it.
https://tools.ietf.org/html/rfc6265
cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
 cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE Explanation

Posted by Mark Thomas <ma...@apache.org>.

On 10/11/2015 19:53, Tessler, Micah (M.B.) wrote:
> I am trying to understand the reasoning behind needing this setting: org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE=true
> When set to true, my cookie values can contain the '=' character.  
> I assume that Tomcat did not implement this setting which defaults to false  for no reason.
> I'd like to understand the cost/downside of turning this on. 
> The upside is that I can accept valid cookies that aren't truncated.

The point is that those cookies aren't valid.

> I can't find the relevant portion of rfc6265 that disallows '=' character in cookie values, so I don't think that's it.

No it isn't. RFC6265 isn't mentioned anywhere in any Servlet
specification. The Servlet spec still refers to RFC2109. By default all
Tomcat versions up to 8.0.x use RFC2109 by default. 8.0.x can be
switched to RFC6265. Look for CookieProcessor in the docs.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org