Issue

Current behaviour (8.0.0-RC10/7.0.50)

Proposed new behaviour

Servlet + Netscape + RFC2109

Servlet + RFC 6265

0x80 to 0xFF in cookie value (Bug 55917)

IAE

TBD

Netscape yes. RFC2109 requires quotes.

RFC 6265 never allowed.

CTL allowed in quoted cookie values (Bug 55918)

Allowed

TBD

Not allowed.

Not allowed.

Quoted values in V0 cookies (Bug 55920)

Quotes removed.

TBD

Netscape - quotes are part of value.

Quotes are not part of value.

Raw JSON in cookie values (Bug 55921)

TBD

TBD

TBD

TBD

Allow equals in value

Not by default. Allowed if property set.

TBD

Netscape is ambiguous. RFC2109 requires quoting.

Allowed.

Allow separators in V0 names and values

Not by default. Allowed if property set.

TBD

Yes except semi-colon, comma and whitespace.

Never in names. Yes in values except semi-colon, comma and whitespace, double-quote and backslash.

Always add expires

Enabled by default. Disabled by property.

TBD

Netsacpe uses expires. RFC2109 uses Max-Age.

Allows either, none or both.

/ is separator

Enabled by default. Disabled by property.

TBD

Netscape allowed in names and values. RFC2109 allowed in values if quoted.

Allowed in values.

Strict naming (as per Servlet spec)

Enabled by default. Disabled by property.

TBD

Netscape allows names the Servlet spec does not. RFC2109 is consistent with the Servlet spec.

Consistent with the Servlet spec.

Allow name only

Disabled by default. Enabled by property.

TBD

Netscape allowed and equals sign expected before empty value. RFC2109 not allowed.

Allowed but equals sign required before empty value.

Requirement

Servlet

Netscape

RFC2109

RFC6265

Format of name

Must conform to RFC2109. Vendors may provide option to allow Netscape format

A sequence of characters excluding semi-colon, comma and white space. Browsers generally stop at first equals,

token

token

Format of value

The value can be anything the server chooses to send. With Version 0 cookies, values should not contain white space, brackets, parentheses, equals signs, commas, double quotes, slashes, question marks, at signs, colons, and semicolons. Empty values may not behave the same way on all browsers.

This string is a sequence of characters excluding semi-colon, comma and white space.

token

quoted-string

cookie-value

Domain

String, per RFC2109

domain=DOMAIN_NAME

"Domain" "=" value

"Domain=" domain-value

Path

String, per RFC2109

path=PATH

"Path" "=" value

"Path=" path-value

Secure

boolean

secure

"Secure"

"Secure"

HttpOnly

boolean

N/A

N/A

"HttpOnly"

Expires

N/A

expires=DATE as "Wdy, DD-Mon-YYYY HH:MM:SS GMT"

N/A

"Expires=" sane-cookie-date

Max-Age

int in seconds

N/A

"Max-Age" "=" value

"Max-Age=" non-zero-digit *DIGIT

Comment

String

N/A

"Comment" "=" value

allowed by extension

Version

int (0 or 1)

N/A

"Version" "=" 1*DIGIT

allowed by extension

Extension

N/A

N/A

N/A

any CHAR except CTLs or ";"