Reviewing code of LegacyCookieProcessor.setAllowHttpSepsInV0(boolean) of current Tomcat 8. There is the following code: char[] seps = "()<>@:\\\"[]?={}\t".toCharArray(); for (char sep : seps) { if (allowHttpSepsInV0) { allowedWithoutQuotes.set(sep); } else { allowedWithoutQuotes.clear(); } } if (getForwardSlashIsSeparator() && !allowHttpSepsInV0) { allowedWithoutQuotes.set('/'); } else { allowedWithoutQuotes.clear('/'); } Apparently it was supposed to do "clear(sep)" instead of just clear().
Fixed in trunk and 8.0.x. Will be in 8.0.23 onwards.