This issue was originally fixed by introducing a new configuration option in Tomcat 8 in r1448679 (for 8.0.0), backported to Tomcat 7 in r1675821 (for 7.0.62). It has not been fixed in Tomcat 6 yet.

I am filing this into Bugzilla to better document the problem.

The problem is that method "unescapeDoubleQuotes" modifies bytes in the buffer that it is processing
(The method is LegacyCookieProcessor.unescapeDoubleQuotes() in current Tomcat 8, ServerCookie.unescapeDoubleQuotes() in current Tomcat 7 and 6).

As such, the value of original "cookie" HTTP header is corrupted. It can be noted by calling request.getHeader("cookie") or by logging the header value in AccessLogValve.

Steps to reproduce with current Tomcat 6 (6.0.43), Firefox 37.0.2:

1. Configure an AccessLogValve to log incoming "cookie" and outgoing "set-cookie" HTTP headers.

That is, uncomment AccessLogValve in Host element of server.xml and set the following value for pattern attribute:

    pattern="%h %l %u %t "%r" %s %b [Cookie received: %{cookie}i] [Set-Cookie sent: %{set-cookie}o]"

2. Start Tomcat and open Servlets Examples -> Cookies  page in examples web application,

http://localhost:8080/examples/servlets/servlet/CookieExample

3. Fill the form to create a cookie and submit it:
Name: foo
Value: bar "baz"

4. Re-visit the Cookies example page, so that browser sends you the cookie that was created.

5. Look into access log file.

The logs look like the following:

127.0.0.1 - - [07/May/2015:15:25:37 +0400] "GET /examples/servlets/servlet/CookieExample HTTP/1.1" 200 637 [Cookie received: -] [Set-Cookie sent: -]
127.0.0.1 - - [07/May/2015:15:28:24 +0400] "POST /examples/servlets/servlet/CookieExample HTTP/1.1" 200 809 [Cookie received: -] [Set-Cookie sent: foo="bar \"baz\""; Version=1]
127.0.0.1 - - [07/May/2015:15:28:42 +0400] "GET /examples/servlets/servlet/CookieExample HTTP/1.1" 200 714 [Cookie received: foo="bar "baz"\""] [Set-Cookie sent: -]

Actual value:
[Cookie received: foo="bar "baz"\""]
Expected value:
[Cookie received: foo="bar \"baz\""]

Notes:
======
1. This happens only with unquoting of '"' character. No other character are unquoted by unescapeDoubleQuotes() method.

2. Current specification of cookies (RFC6265) defines that cookie values cannot contain double quote and backslash characters. A well-behaving web application should not create cookies whose values contain such characters.

 cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
 cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash

3. The fix introduced new system property,
org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER

It defaults to 'false'. By default you have to opt-in for this fix by setting that property to 'true'.

When running in "strict servlet compliance" mode, that setting defaults to 'true' and the fix is enabled.

The new Rfc6265CookieProcessor implementation of CookieProcessor that is available as an opt-in feature in Tomcat 8 does not have this bug and is not affected by that configuration option.