Cookies handling issue

[mateo-jl <ma...@orange.fr>]

Hi everybody,

recently i've reported a problem, which wasn't a new one, related to the encoding base64 within cookies ("=" separator ... only at reading : request.getCookies) .
I was responded that this problem will probably be corrected  with Tomcat 6.0.19 or 6.0.20 and 5.5.28. The last one is not yet released and in the 6.0.20 I do not see any patch for this problem.
Do you think that it will be corrected ?

Thank you

JLM

Re: Cookies handling issue

[Mark Thomas <ma...@apache.org>]

mateo-jl wrote:
> Hello Mark,
> 
> i do not have any doubt about the fix but i've read all the bugs at the ChangeLog (http://tomcat.apache.org/tomcat-6.0-doc/changelog.html) and I did not see the one related to this problem. 

You need to read further down the page. They are all there.

> Maybe there are not all recorded.

The spec compliance changes were made in 6.0.15

The workaround for apps using '=' (automatically switching invalid v0
cookies to v1 and quoting them) went in to 6.0.16.

There was an IE related workaround in 6.0.17

Some sync issues were fixed in 6.0.19, httpOnly support was added, a
workaround for an IE/Safari bug was added

The biggest problem with all of this was getting to a cookie
implementation that was:
a) spec compliant (easy)
b) worked with all the major browsers (hard)

I believe we are there now.

Mark


> 
> Thank you for the response
> 
> JLM
> 
> 
> 
> 
>> Message du 19/06/09 13:53
>> De : "Mark Thomas" 
>> A : "Tomcat Users List" 
>> Copie à : 
>> Objet : Re: Cookies handling issue
>>
>>
>> mateo-jl wrote:
>>> Hi everybody,
>>>
>>> recently i've reported a problem, which wasn't a new one, related to the encoding base64 within cookies ("=" separator ... only at reading : request.getCookies) .
>>> I was responded that this problem will probably be corrected with Tomcat 6.0.19 or 6.0.20 and 5.5.28. The last one is not yet released and in the 6.0.20 I do not see any patch for this problem.
>>> Do you think that it will be corrected ?
>> As per the change log, it is fixed in 6.0.20
>>
>> Mark
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Cookies handling issue

[mateo-jl <ma...@orange.fr>]

Hello Mark,

i do not have any doubt about the fix but i've read all the bugs at the ChangeLog (http://tomcat.apache.org/tomcat-6.0-doc/changelog.html) and I did not see the one related to this problem. 
Maybe there are not all recorded.

Thank you for the response

JLM




> Message du 19/06/09 13:53
> De : "Mark Thomas" 
> A : "Tomcat Users List" 
> Copie à : 
> Objet : Re: Cookies handling issue
> 
> 
> mateo-jl wrote:
> > Hi everybody,
> > 
> > recently i've reported a problem, which wasn't a new one, related to the encoding base64 within cookies ("=" separator ... only at reading : request.getCookies) .
> > I was responded that this problem will probably be corrected with Tomcat 6.0.19 or 6.0.20 and 5.5.28. The last one is not yet released and in the 6.0.20 I do not see any patch for this problem.
> > Do you think that it will be corrected ?
> 
> As per the change log, it is fixed in 6.0.20
> 
> Mark
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

Re: Cookies handling issue

[Mark Thomas <ma...@apache.org>]

mateo-jl wrote:
> Hi everybody,
> 
> recently i've reported a problem, which wasn't a new one, related to the encoding base64 within cookies ("=" separator ... only at reading : request.getCookies) .
> I was responded that this problem will probably be corrected  with Tomcat 6.0.19 or 6.0.20 and 5.5.28. The last one is not yet released and in the 6.0.20 I do not see any patch for this problem.
> Do you think that it will be corrected ?

As per the change log, it is fixed in 6.0.20

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Cookies handling issue

["Rowe, Ciaran" <Ci...@morganstanley.com>]

Hi,

This issue probably won't be given a great deal of attention. There's conflict between what the spec says, and what has actually been going on in the development world. The de facto reality is that people have been using = characters in cookies despite them being prohibited for a long time.

If you want this "netscape style" cookie to be valid and not quoted by tomcat, you should revert to the ServerCookie & Cookies code (org.apache.tomcat.util.http.*) from an earlier revision of the 5.5.x series (5.5.17 works - http://svn.apache.org/repos/asf/tomcat/connectors/tags/tc5.5.x/TOMCAT_5_5_17/util/java/org/apache/tomcat/util/http/)

Be vigilant w.r.t. any bugs/security issues logged against that version. 

-Ciarán


>-----Original Message-----
>From: mateo-jl [mailto:mateo-jl@orange.fr]
>Sent: 18 June 2009 14:07
>To: users@tomcat.apache.org
>Subject: Cookies handling issue
>
>Hi everybody,
>
>recently i've reported a problem, which wasn't a new one, related to the
>encoding base64 within cookies ("=" separator ... only at reading :
>request.getCookies) .
>I was responded that this problem will probably be corrected  with
>Tomcat 6.0.19 or 6.0.20 and 5.5.28. The last one is not yet released and
>in the 6.0.20 I do not see any patch for this problem.
>Do you think that it will be corrected ?
>
>Thank you
>
>JLM

--------------------------------------------------------------------------
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. Morgan Stanley may monitor and store emails to the extent permitted by applicable law.