You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Kyohei Nakamura <na...@gmail.com> on 2016/05/23 06:48:56 UTC

About CookieNameValidator

Hi all,

I think that the CookieNameValidator has issue that related to the
consistency.

The javax.servlet.http.CookieNameValidator has multiple implementations.
If the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system
property is not specified, the javax.servlet.http.NetscapeValidator will be
used in default.

The NetscapeValidator allows HTTP separators (excluding semi-colon, comma
and white space) in the cookie name.
However, the Rfc6265CookieProcessor and the LegacyCookieProcessor do not
allow HTTP separators in the cookie name.
As a result, although Tomcat sends cookie header that include HTTP
separators in the cookie name, the Tomcat can not receive the cookie header.
I think that it lacks consistency.
The CookieNameValidator and the CookieProcessor should be the consistency.

On the other hand, the implementation of CookieNameValidator to use can be
switched by the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING
system property, but can not be switched per Context, like the
CookieProcessor.
I think that setting of the CookieNameValidator per Context is more useful.

Best regards,
Kyohei Nakamura

Re: About CookieNameValidator

Posted by Kyohei Nakamura <na...@gmail.com>.

Hi all,

I created a Bugzilla issue related to the previous mail.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59655

What do you think this?


Best regards,
Kyohei Nakamura


2016-05-23 15:48 GMT+09:00 Kyohei Nakamura <na...@gmail.com>:

> Hi all,
>
> I think that the CookieNameValidator has issue that related to the
> consistency.
>
> The javax.servlet.http.CookieNameValidator has multiple implementations.
> If the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system
> property is not specified, the javax.servlet.http.NetscapeValidator will be
> used in default.
>
> The NetscapeValidator allows HTTP separators (excluding semi-colon, comma
> and white space) in the cookie name.
> However, the Rfc6265CookieProcessor and the LegacyCookieProcessor do not
> allow HTTP separators in the cookie name.
> As a result, although Tomcat sends cookie header that include HTTP
> separators in the cookie name, the Tomcat can not receive the cookie header.
> I think that it lacks consistency.
> The CookieNameValidator and the CookieProcessor should be the consistency.
>
> On the other hand, the implementation of CookieNameValidator to use can be
> switched by the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING
> system property, but can not be switched per Context, like the
> CookieProcessor.
> I think that setting of the CookieNameValidator per Context is more useful.
>
> Best regards,
> Kyohei Nakamura
>
>