Question about spaces in cookie values

[ll...@oreillyauto.com]

Does HTTPClient4 have any known issues with having spaces in cookies?

I have a webapp I am working with, and some of the cookies have spaces in
the value. This does not present a problem in my browser, but it does in
the app i am using (specifically, jmeter 2.6). I do have it set to use
"compatibility" mode.

The odd thing is, when I look in jmeter logs & results, in fiddler and even
in the Apache logs, I see the full cookie value, even the space and text
after it.  However, my tomcat logs show the cookie value being truncated at
the space.

As a separate test, I did create a java project of my own that does the
same set of requests I am using in jmeter - and I got the same results
where I am unable to login successfully, and again due to that space - even
though the line that prints the cookies shows the full cookies.

Any ideas or suggestions?

Thank you.


Lee Lowder

This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: Question about spaces in cookie values

[ll...@oreillyauto.com]

Oleg Kalnichevski <ol...@apache.org> wrote on 04/17/2012 05:09:11 PM:

> On Tue, 2012-04-17 at 08:52 -0500, llowder@oreillyauto.com wrote:
> > Does HTTPClient4 have any known issues with having spaces in cookies?
> >
>
> White spaces in cookie values are legal for legacy (Netscape style)
> cookies and for standard HTTP cookies as long as they are enclosed with
> quotation marks. Cookie values with white spaces not enclosed with
> quotation marks may be treated as ambiguous by the strict (standard
> compliant) cookie policies.

My understanding of both specifications is that Netscape disallowed
whitespace unless you used URL Encoding or a similar encoding, though it
did not specify one in particular, and that in RFC 2109 (and the newer one
too) the value was defined as a being either a token (no white space or
special characters) or a quoted string.

>
> > I have a webapp I am working with, and some of the cookies have spaces
in
> > the value. This does not present a problem in my browser, but it does
in
> > the app i am using (specifically, jmeter 2.6). I do have it set to use
> > "compatibility" mode.
> >
> > The odd thing is, when I look in jmeter logs & results, in fiddler and
even
> > in the Apache logs, I see the full cookie value, even the space and
text
> > after it.  However, my tomcat logs show the cookie value being
truncated at
> > the space.
> >
> > As a separate test, I did create a java project of my own that does the
> > same set of requests I am using in jmeter - and I got the same results
> > where I am unable to login successfully, and again due to that space -
even
> > though the line that prints the cookies shows the full cookies.
> >
> > Any ideas or suggestions?
> >
>
> If you post the exact cookie header your application is having the
> problem with I should be able to tell how different cookie policies
> would end up handling it.


I was going through stuff again to find the headers, and find them exact as
I could, and then suddenly I noticed something I had missed before.

What is causing this problem is a bug that was "resolved" as "won't fix"


Httpclient is stripping the quotes from the value section of the cookie.

See: https://issues.apache.org/jira/browse/HTTPCLIENT-1006

I would have to agree with Marc that this is wrong behavior, especially for
a "browser compatibility" mode, though even under the various RFCs this is
wrong as they explicitly state that a quoted string is valid and legal for
value, and you can't have a quoted string without quotes.

I am using httpclient 4.1.3 in my direct tests and whatever version of
httpclient is used with Jmeter 2.6 R1237317

>From reading that one bug report, it looks like I will have to make some
changes to the cookie policy specification, though I am unsure how to do
that. I did a little looking yesterday and wasn't really able to find much
on how to actually do that, so if I could be pointed in the direction of
how to do that, I would appreciate it (I can program, but I am an admin not
a programmer).


Lee Lowder

This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: Question about spaces in cookie values

[Oleg Kalnichevski <ol...@apache.org>]

On Tue, 2012-04-17 at 08:52 -0500, llowder@oreillyauto.com wrote:
> Does HTTPClient4 have any known issues with having spaces in cookies?
> 

White spaces in cookie values are legal for legacy (Netscape style)
cookies and for standard HTTP cookies as long as they are enclosed with
quotation marks. Cookie values with white spaces not enclosed with
quotation marks may be treated as ambiguous by the strict (standard
compliant) cookie policies. 

> I have a webapp I am working with, and some of the cookies have spaces in
> the value. This does not present a problem in my browser, but it does in
> the app i am using (specifically, jmeter 2.6). I do have it set to use
> "compatibility" mode.
> 
> The odd thing is, when I look in jmeter logs & results, in fiddler and even
> in the Apache logs, I see the full cookie value, even the space and text
> after it.  However, my tomcat logs show the cookie value being truncated at
> the space.
> 
> As a separate test, I did create a java project of my own that does the
> same set of requests I am using in jmeter - and I got the same results
> where I am unable to login successfully, and again due to that space - even
> though the line that prints the cookies shows the full cookies.
> 
> Any ideas or suggestions?
> 

If you post the exact cookie header your application is having the
problem with I should be able to tell how different cookie policies
would end up handling it.

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org