You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/08/06 20:03:25 UTC

[Bug 55371] New: Cookies retrieved from tomcat server is not correct

https://issues.apache.org/bugzilla/show_bug.cgi?id=55371

            Bug ID: 55371
           Summary: Cookies retrieved from tomcat server is not correct
           Product: Tomcat 6
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: raginiSingh.2006@gmail.com

Hi,

I am using Tomcat 5.5.23 on RHEL5 and I am facing the same issue. The cookie we
use is encrypted and looks like:

"gAAAAQDAgEBAAAAvAIAAAAAAAAsAAAABABTaGRyAk4Aawg4AC4AMQAwABT+Np6GOVSAJB8Qx02=="

When the cookie is retrieved it looses the "==" at the end. 

We are also using 
Tomcat 4.1.24, Tomcat 6.0.14 on Solaris machines
Tomcat 6.0.2 on Windows 
and the same piece of code is working fine there and the cookie is retrieved
correctly. I wanted to know if there is a fix for this in Tomcat 5.5.x version
or will I need to upgrade to higher versions of Tomcat. This step is critical
in our application.

Thank you,
RS

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55371] Cookies retrieved from tomcat server is not correct

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55371

--- Comment #2 from raginiSingh.2006@gmail.com ---
Thank you Nick for the response. We are in process of upgrade and I was wanting
to know which latest version of Tomcat would resolve this issue.

RS

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55371] Cookies retrieved from tomcat server is not correct

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55371

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Your cookie is invalid. The specifications do not permit the equals character
in a cookie value unless the value is correctly quoted.

Newer versions of Tomcat support the 
org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE system property
but be aware allowing equals characters may introduce security issues.

The users list is the place to ask if you need more help.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55371] Cookies retrieved from tomcat server is not correct

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55371

--- Comment #1 from Nick Williams <ni...@nicholaswilliams.net> ---
Tomcat 4.1.x is 9 years old and hasn't been supported for years. Any system
running it is extremely vulnerable and must upgrade immediately. We cannot help
you with it.

Tomcat 5.5 is 9 years old and 5.5.23 is 5 years old. Supported ended for the
5.5 line in September of 2012. Any system running it is extremely vulnerable
and must upgrade immediately.

Tomcat 6.0.2 and 6.0.14 are both 6 years old. Any system running them is
extremely vulnerable and must upgrade immediately. The latest Tomcat 6 version
is 6.0.37. You should be running it or, better, 7.0.42.

There have been thousands of bugs fixed since the versions you are using, and
the problem you are indicating is likely one of them. Please upgrade.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org