You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by va...@lhsystems.com on 2007/05/07 13:00:13 UTC

Cookie's value and double quotes with tomcat 6.0.10

Hi everyone!

First, thanks for reading this.

Here is the situation: 

Entrust (a provider of security solutions) offers Java-based security applications for enterprises. 
Their installer installs an own Java virtual machine for each application as well as an own Tomcat (v 5.5.17)

As we are already running some self-developed servlets, 
we wish to extract the server application and run it with our own JVM (6u1) and Tomcat (6.0.10).
That's what we did: the servlets are up and running. 

But we are apparently facing a problem regarding the cookie's value.
When I am running the ISAPI redirector in DEBUG mode, I get this:

[Fri May 04 17:59:08 2007] [1308:1988] [debug] jk_ajp_common.c (684): Header[3] [Set-Cookie] = [EntrustTruePassID="\"7.0|Y249U[...]PUx1ZnRoYW5zYSwgYz1kZQ==|1|2007-05-04 15:59:08 UTC|1200|50|-61|Qx2M2Q==|[...]3VmobNkg8j46JaoSkgMCTU=\""; Domain=.blabla.com; Path=/; Secure]

The cookie's value is twice double quoted -> the inner double quotes have been backslashed.
On a test server, with the native install of this application, the same log entry looks like this:

[Fri May 04 15:57:29 2007] [1884:3676] [debug] jk_ajp_common.c (684): Header[3] [Set-Cookie] = [EntrustTruePassID="7.[...]fDs==|1|2007-05-04 13:57:29 UTC|1200|50|0|Qx2M2Q==|[..]/d5wFNo145sdCJHdGXkayL8v3RFTSv2VT5Wvd6zixINFvHywI55zeDJq8len0="; domain=.blabla.com; path=/; secure]

Because the cookie's value has been changed, the authentication process fails:

Fri May 04 17:59:09 2007 - WARNING       - [SessionValidationImpl::checkAuthentication()] - Auth cookie: Reporting Error:
TruePass: TPAuthCookie - Could not create the cookie using the cookie string
		Line number: 253
		File name: AuthCookie.cpp
	caused by TruePass: TPAuthCookie - Could not validate the authentication cookie
		Line number: 976
		File name: AuthCookie.cpp
	caused by TruePass: TPAuthCookie - The authentication cookie string is improperly formatted
		Line number: 763
		File name: AuthCookie.cpp


Before I give up, I would like to ask the specialists, if I am missing any point here ;)
I read some posts about v0 cookies values problems (http://issues.apache.org/bugzilla/show_bug.cgi?id=36863) 
and I am wondering if it may also be a Tomcat problem here.

Tanks a lot for your time
Best regards

Valéry.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

AW: Re: Cookie's value and double quotes with tomcat 6.0.10

Posted by va...@lhsystems.com.

Hi Bill,

Many thanks for your reply. 
I will try to fix this with Entrust.

Very Best
Valery.

-----Ursprüngliche Nachricht-----
Von: news [mailto:news@sea.gmane.org] Im Auftrag von Bill Barker
Gesendet: Dienstag, 8. Mai 2007 05:05
An: users@tomcat.apache.org
Betreff: Re: Cookie's value and double quotes with tomcat 6.0.10

Yes, that is the correct BZ issue.  It was decided that TC would quote cookie values containing special characters, even for v0 cookies.  The thought was that browsers would likely understand the quoted value and handle it correctly.  It seems that Entrust thought the same thing, and they came up with their nasty little hack to quote the value.  You will have to take it up with Entrust and get them to stop trying to quote the cookie value themselves.


<va...@lhsystems.com> wrote in message news:99E4973FDC63C5408F61CE0F09C6011C0387A647@XW2K3-FRAMBX-02.ads.dlh.de...

Hi everyone!

First, thanks for reading this.

Here is the situation:

Entrust (a provider of security solutions) offers Java-based security applications for enterprises.
Their installer installs an own Java virtual machine for each application as well as an own Tomcat (v 5.5.17)

As we are already running some self-developed servlets, we wish to extract the server application and run it with our own JVM (6u1) and Tomcat (6.0.10).
That's what we did: the servlets are up and running.

But we are apparently facing a problem regarding the cookie's value.
When I am running the ISAPI redirector in DEBUG mode, I get this:

[Fri May 04 17:59:08 2007] [1308:1988] [debug] jk_ajp_common.c (684): 
Header[3] [Set-Cookie] =
[EntrustTruePassID="\"7.0|Y249U[...]PUx1ZnRoYW5zYSwgYz1kZQ==|1|2007-05-04
15:59:08 UTC|1200|50|-61|Qx2M2Q==|[...]3VmobNkg8j46JaoSkgMCTU=\"";
Domain=.blabla.com; Path=/; Secure]

The cookie's value is twice double quoted -> the inner double quotes have been backslashed.
On a test server, with the native install of this application, the same log entry looks like this:

[Fri May 04 15:57:29 2007] [1884:3676] [debug] jk_ajp_common.c (684): 
Header[3] [Set-Cookie] = [EntrustTruePassID="7.[...]fDs==|1|2007-05-04
13:57:29 
UTC|1200|50|0|Qx2M2Q==|[..]/d5wFNo145sdCJHdGXkayL8v3RFTSv2VT5Wvd6zixINFv
UTC|1200|50|0|HywI55zeDJq8len0=";
domain=.blabla.com; path=/; secure]

Because the cookie's value has been changed, the authentication process
fails:

Fri May 04 17:59:09 2007 - WARNING       - 
[SessionValidationImpl::checkAuthentication()] - Auth cookie: Reporting
Error:
TruePass: TPAuthCookie - Could not create the cookie using the cookie string Line number: 253 File name: AuthCookie.cpp caused by TruePass: TPAuthCookie - Could not validate the authentication cookie Line number: 976 File name: AuthCookie.cpp caused by TruePass: TPAuthCookie - The authentication cookie string is improperly formatted Line number: 763 File name: AuthCookie.cpp


Before I give up, I would like to ask the specialists, if I am missing any point here ;) I read some posts about v0 cookies values problems
(http://issues.apache.org/bugzilla/show_bug.cgi?id=36863)
and I am wondering if it may also be a Tomcat problem here.

Tanks a lot for your time
Best regards

Valéry.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org





---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

AW: Re: Cookie's value and double quotes with tomcat 6.0.10

Posted by va...@lhsystems.com.

Hi,

Sorry to bother again, but there is still something I can't understand.

The changelog of Tomcat indicates that the changes you've reported happened with tomcat version 5.5.14. 
(It says "Strip quotes when parsing Cookie values, even for v0 Cookies".)
However, the integrated Tomcat delivered with the Entrust application is a version 5.5.17.

If I make no mistake, the changes mentioned above should also apply to the native install of the Entrust Truepass, it means I should get the same error. 

What do i miss here ?

Thanks again for your time,
Very Best
Valéry. 

-----Ursprüngliche Nachricht-----
Von: news [mailto:news@sea.gmane.org] Im Auftrag von Bill Barker
Gesendet: Dienstag, 8. Mai 2007 05:05
An: users@tomcat.apache.org
Betreff: Re: Cookie's value and double quotes with tomcat 6.0.10

Yes, that is the correct BZ issue.  It was decided that TC would quote cookie values containing special characters, even for v0 cookies.  The thought was that browsers would likely understand the quoted value and handle it correctly.  It seems that Entrust thought the same thing, and they came up with their nasty little hack to quote the value.  You will have to take it up with Entrust and get them to stop trying to quote the cookie value themselves.


<va...@lhsystems.com> wrote in message news:99E4973FDC63C5408F61CE0F09C6011C0387A647@XW2K3-FRAMBX-02.ads.dlh.de...

Hi everyone!

First, thanks for reading this.

Here is the situation:

Entrust (a provider of security solutions) offers Java-based security applications for enterprises.
Their installer installs an own Java virtual machine for each application as well as an own Tomcat (v 5.5.17)

As we are already running some self-developed servlets, we wish to extract the server application and run it with our own JVM (6u1) and Tomcat (6.0.10).
That's what we did: the servlets are up and running.

But we are apparently facing a problem regarding the cookie's value.
When I am running the ISAPI redirector in DEBUG mode, I get this:

[Fri May 04 17:59:08 2007] [1308:1988] [debug] jk_ajp_common.c (684): 
Header[3] [Set-Cookie] =
[EntrustTruePassID="\"7.0|Y249U[...]PUx1ZnRoYW5zYSwgYz1kZQ==|1|2007-05-04
15:59:08 UTC|1200|50|-61|Qx2M2Q==|[...]3VmobNkg8j46JaoSkgMCTU=\"";
Domain=.blabla.com; Path=/; Secure]

The cookie's value is twice double quoted -> the inner double quotes have been backslashed.
On a test server, with the native install of this application, the same log entry looks like this:

[Fri May 04 15:57:29 2007] [1884:3676] [debug] jk_ajp_common.c (684): 
Header[3] [Set-Cookie] = [EntrustTruePassID="7.[...]fDs==|1|2007-05-04
13:57:29 
UTC|1200|50|0|Qx2M2Q==|[..]/d5wFNo145sdCJHdGXkayL8v3RFTSv2VT5Wvd6zixINFv
UTC|1200|50|0|HywI55zeDJq8len0=";
domain=.blabla.com; path=/; secure]

Because the cookie's value has been changed, the authentication process
fails:

Fri May 04 17:59:09 2007 - WARNING       - 
[SessionValidationImpl::checkAuthentication()] - Auth cookie: Reporting
Error:
TruePass: TPAuthCookie - Could not create the cookie using the cookie string Line number: 253 File name: AuthCookie.cpp caused by TruePass: TPAuthCookie - Could not validate the authentication cookie Line number: 976 File name: AuthCookie.cpp caused by TruePass: TPAuthCookie - The authentication cookie string is improperly formatted Line number: 763 File name: AuthCookie.cpp


Before I give up, I would like to ask the specialists, if I am missing any point here ;) I read some posts about v0 cookies values problems
(http://issues.apache.org/bugzilla/show_bug.cgi?id=36863)
and I am wondering if it may also be a Tomcat problem here.

Tanks a lot for your time
Best regards

Valéry.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org





---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Cookie's value and double quotes with tomcat 6.0.10

Posted by Bill Barker <wb...@wilshire.com>.

Yes, that is the correct BZ issue.  It was decided that TC would quote 
cookie values containing special characters, even for v0 cookies.  The 
thought was that browsers would likely understand the quoted value and 
handle it correctly.  It seems that Entrust thought the same thing, and they 
came up with their nasty little hack to quote the value.  You will have to 
take it up with Entrust and get them to stop trying to quote the cookie 
value themselves.


<va...@lhsystems.com> wrote in message 
news:99E4973FDC63C5408F61CE0F09C6011C0387A647@XW2K3-FRAMBX-02.ads.dlh.de...

Hi everyone!

First, thanks for reading this.

Here is the situation:

Entrust (a provider of security solutions) offers Java-based security 
applications for enterprises.
Their installer installs an own Java virtual machine for each application as 
well as an own Tomcat (v 5.5.17)

As we are already running some self-developed servlets,
we wish to extract the server application and run it with our own JVM (6u1) 
and Tomcat (6.0.10).
That's what we did: the servlets are up and running.

But we are apparently facing a problem regarding the cookie's value.
When I am running the ISAPI redirector in DEBUG mode, I get this:

[Fri May 04 17:59:08 2007] [1308:1988] [debug] jk_ajp_common.c (684): 
Header[3] [Set-Cookie] = 
[EntrustTruePassID="\"7.0|Y249U[...]PUx1ZnRoYW5zYSwgYz1kZQ==|1|2007-05-04 
15:59:08 UTC|1200|50|-61|Qx2M2Q==|[...]3VmobNkg8j46JaoSkgMCTU=\""; 
Domain=.blabla.com; Path=/; Secure]

The cookie's value is twice double quoted -> the inner double quotes have 
been backslashed.
On a test server, with the native install of this application, the same log 
entry looks like this:

[Fri May 04 15:57:29 2007] [1884:3676] [debug] jk_ajp_common.c (684): 
Header[3] [Set-Cookie] = [EntrustTruePassID="7.[...]fDs==|1|2007-05-04 
13:57:29 
UTC|1200|50|0|Qx2M2Q==|[..]/d5wFNo145sdCJHdGXkayL8v3RFTSv2VT5Wvd6zixINFvHywI55zeDJq8len0="; 
domain=.blabla.com; path=/; secure]

Because the cookie's value has been changed, the authentication process 
fails:

Fri May 04 17:59:09 2007 - WARNING       - 
[SessionValidationImpl::checkAuthentication()] - Auth cookie: Reporting 
Error:
TruePass: TPAuthCookie - Could not create the cookie using the cookie string
Line number: 253
File name: AuthCookie.cpp
caused by TruePass: TPAuthCookie - Could not validate the authentication 
cookie
Line number: 976
File name: AuthCookie.cpp
caused by TruePass: TPAuthCookie - The authentication cookie string is 
improperly formatted
Line number: 763
File name: AuthCookie.cpp


Before I give up, I would like to ask the specialists, if I am missing any 
point here ;)
I read some posts about v0 cookies values problems 
(http://issues.apache.org/bugzilla/show_bug.cgi?id=36863)
and I am wondering if it may also be a Tomcat problem here.

Tanks a lot for your time
Best regards

Val�ry.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org





---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org