You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »

Cookies

Parsing the Cookie header by Tomcat

Issue

Current behaviour (8.0.0-RC10/7.0.50)

Proposed new behaviour

Servlet + Netscape + RFC2109

Servlet + RFC 6265

0x80 to 0xFF in cookie value (Bug 55917)

IAE

TBD

Netscape yes. RFC2109 requires quotes.

RFC 6265 never allowed.

CTL allowed in quoted cookie values (Bug 55918)

Allowed

TBD

Not allowed.

Not allowed.

Quoted values in V0 cookies (Bug 55920)

Quotes removed.

TBD

Netscape - quotes are part of value.

Quotes are not part of value.

Raw JSON in cookie values (Bug 55921)

TBD

TBD

TBD

TBD

Allow equals in value

Not by default. Allowed if property set.

TBD

Netscape is ambiguous. RFC2109 requires quoting.

Allowed.

Allow separators in V0 names and values

Not by default. Allowed if property set.

TBD

Yes except semi-colon, comma and whitespace.

Never in names. Yes in values except semi-colon, comma and whitespace, double-quote and backslash.

Always add expires

Enabled by default. Disabled by property.

TBD

Netsacpe uses expires. RFC2109 uses Max-Age.

Allows either, none or both.

/ is separator

Enabled by default. Disabled by property.

TBD

Netscape allowed in names and values. RFC2109 allowed in values if quoted.

Allowed in values.

Strict naming (as per Servlet spec)

Enabled by default. Disabled by property.

TBD

Netscape allows names the Servlet spec does not. RFC2109 is consistent with the Servlet spec.

Consistent with the Servlet spec.

Allow name only

Disabled by default. Enabled by property.

TBD

Netscape allowed and equals sign expected before empty value. RFC2109 not allowed.

Allowed but equals sign required before empty value.

Issues to add to the table above

  • Any further issues raised on mailing lists

Generating the Set-Cookie header by Tomcat

Requirements as defined by the specifications

Requirement

Servlet

Netscape

RFC2109

RFC6265

Format of name

Must conform to RFC2109. Vendors may provide option to allow Netscape format

A sequence of characters excluding semi-colon, comma and white space. Browsers generally stop at first equals,

token

token

Format of value

The value can be anything the server chooses to send. With Version 0 cookies, values should not contain white space, brackets, parentheses, equals signs, commas, double quotes, slashes, question marks, at signs, colons, and semicolons. Empty values may not behave the same way on all browsers.

This string is a sequence of characters excluding semi-colon, comma and white space.

token

quoted-string

cookie-value

Domain

String, per RFC2109

domain=DOMAIN_NAME

"Domain" "=" value

"Domain=" domain-value

Path

String, per RFC2109

path=PATH

"Path" "=" value

"Path=" path-value

Secure

boolean

secure

"Secure"

"Secure"

HttpOnly

boolean

N/A

N/A

"HttpOnly"

Expires

N/A

expires=DATE as "Wdy, DD-Mon-YYYY HH:MM:SS GMT"

N/A

"Expires=" sane-cookie-date

Max-Age

int in seconds

N/A

"Max-Age" "=" value

"Max-Age=" non-zero-digit *DIGIT

Comment

String

N/A

"Comment" "=" value

allowed by extension

Version

int (0 or 1)

N/A

"Version" "=" 1*DIGIT

allowed by extension

Extension

N/A

N/A

N/A

any CHAR except CTLs or ";"

Current Implementation

The constructor of javax.servlet.http.Cookie will throw an IllegalArgumentException if any of the following conditions are met:

  • name is null or zero length
  • if name is not a token
  • if name equalsIgnoreCase any of "Comment" "Discard" "Domain" "Expires" "Max-Age" "Path" "Secure" "Version"
  • if name startsWith "$"

By default, a token comprises characters 0x21..0x7E except comma, semicolon and space. If STRICT_NAMING is true, then token also excludes characters from "()<>@,;:\\\"[]?={} \t" which corresponds to RFC2616 separators without "/" (i.e. "/" is allowed); if FWD_SLASH_IS_SEPARATOR is true than "/" is also excluded. These properties will default to true if STRICT_SERVLET_COMPLIANCE is true.

Issues

${renderedContent}
  • *
${renderedContent}
  • *
${renderedContent}

No checks are made in any of the other setters.

The domain value is converted to lower case (per Locale.ENGLISH) when set as "IE allegedly needs this."

HttpServletResponse

This is typically implemented by o.a.c.connector.Response whose addCookie method delegates generation of the Set-Cookie header to o.a.t.util.http.ServerCookie#appendCookieValue. This first appends the name (relying on checks performed by Cookie), "=" and then the value using RFC2109 quoting rules:

  • if the value is null or empty, append empty quoted-string ""
  • if the value starts and ends with '"', output as is after escaping any '"' characters between the outer quotes
  • if ALLOW_HTTP_SEPARATORS_IN_V0 is false and the value contains a RFC2616 separator, output as a quoted-string after escaping '"' and force Version=1
  • if ALLOW_HTTP_SEPARATORS_IN_V0 is true and the value contains a Netscape separator, output as a quoted-string after escaping '"' and force Version=1
  • otherwise, output as is

Netscape separators are {',', ';', ' ', '\t'}
RFC2616 separators by default do not include "/" unless FWD_SLASH_IS_SEPARATOR is set (or implied by STRICT_SERVLET_COMPLIANCE). Characters outside the set { HT, 0x20..0x7E } will result in a IllegalArgumentException when the check for token characters is performed.

The same quoting rules are applied when outputting any Domain or Path value.

If maxAge >=, then the Max-Age attribute will be set for V1 cookies and the Expires attribute for V0 cookies. If the property ALWAYS_ADD_EXPIRES is true then Expires will also be set for V1 cookies.

Issues::

  • *
${renderedContent}
  • *
${renderedContent}
  • *
${renderedContent}

Proposed Implementation

TBD

RFC2616 definitions

token          = 1*<any CHAR except CTLs or separators>
separators     = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT
CHAR           = <any US-ASCII character (octets 0 - 127)>
CTL            = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )
qdtext         = <any TEXT except <">>
quoted-pair    = "\" CHAR
TEXT           = <any OCTET except CTLs, but including LWS>
rfc1123-date   = wkday "," SP date1 SP time SP "GMT"

RFC6265 definitions

cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
domain-value      = <subdomain> ; defined in [RFC1034], Section 3.5, as enhanced by [RFC1123], Section 2.1
path-value        = <any CHAR except CTLs or ";">
sane-cookie-date  = <rfc1123-date, defined in [RFC2616], Section 3.3.1>

References

  1. RFC6265 discussion on 0x80-0xFF
  • No labels