Cookies
Parsing the Cookie header by Tomcat
Issue |
Current behaviour (8.0.0-RC10/7.0.50) |
Proposed new behaviour |
Servlet + Netscape + RFC2109 |
Servlet + RFC 6265 |
0x80 to 0xFF in cookie value (Bug 55917) |
IAE |
TBD |
Netscape yes. RFC2109 requires quotes. |
RFC 6265 never allowed. |
CTL allowed in quoted cookie values (Bug 55918) |
Allowed |
TBD |
Not allowed. |
Not allowed. |
Quoted values in V0 cookies (Bug 55920) |
Quotes removed. |
TBD |
Netscape - quotes are part of value. |
Quotes are not part of value. |
Raw JSON in cookie values (Bug 55921) |
TBD |
TBD |
TBD |
TBD |
Allow equals in value |
Not by default. Allowed if property set. |
TBD |
Netscape is ambiguous. RFC2109 requires quoting. |
Allowed. |
Allow separators in V0 names and values |
Not by default. Allowed if property set. |
TBD |
Yes except semi-colon, comma and whitespace. |
Never in names. Yes in values except semi-colon, comma and whitespace, double-quote and backslash. |
Always add expires |
Enabled by default. Disabled by property. |
TBD |
Netsacpe uses expires. RFC2109 uses Max-Age. |
Allows either, none or both. |
/ is separator |
Enabled by default. Disabled by property. |
TBD |
Netscape allowed in names and values. RFC2109 allowed in values if quoted. |
Allowed in values. |
Strict naming |
Enabled by default. Disabled by property. |
TBD |
TBD |
TBD |
Allow name only |
Disabled by default. Enabled by property. |
TBD |
Netscape allowed and equals sign expected before empty value. RFC2109 not allowed. |
Allowed but equals sign required before empty value. |
Issues to add to the table above
- Any further issues raised on mailing lists
Generating the Set-Cookie header by Tomcat
TODO: Need to define behaviour for each of the issues above.