Summary: | Persistent cookies written by 6.0.18 do not work in Internet Explorer or Safari | ||
---|---|---|---|
Product: | Tomcat 6 | Reporter: | Matt Wiseley <matt> |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | major | ||
Priority: | P2 | ||
Version: | 6.0.18 | ||
Target Milestone: | default | ||
Hardware: | PC | ||
OS: | Linux | ||
URL: | http://cephas.net/blog/2008/11/18/tomcat-6018-version-1-cookies-acegi-remember-me-and-ie/ | ||
Attachments: |
Simple JSP that reproduces the behavior.
Patch to always include Expires parameter regardless of version |
Description
Matt Wiseley
2008-12-15 13:46:47 UTC
Created attachment 23027 [details]
Simple JSP that reproduces the behavior.
Created attachment 23028 [details]
Patch to always include Expires parameter regardless of version
This patch adds the Expires cookie parameter in addition to the Max-Age parameter. Though not technically to the cookies spec, it works. Tested in Google Chrome, Firefox 3.0 and IE7.
For completeness, the cookie parsing changes were required to correct various security vulnerabilities. I really don't like the idea of adding work arounds to Tomcat for bugs in other software but I don't see a choice here. I have applied a variation of your patch to trunk and proposed it for 6.0.x. The variation is making the addition of the expires header optional. There are occassional ASF/MS get togethers where issues like this can be raised (and hopefully fixed). I have a list of things to raise at the next one and I've added this to it. As far as I am aware there are no dates set for the next get together so don't expect an IE fix any time soon. This has been fixed in 6.0.x and will be included in 6.0.19 onwards. The problem is also with Firefox 3.6.3 and Tomcat 6.0.26. When reading Cookie via Firefox API: function getCookie(name, host) { var cookieManager = Cc["@mozilla.org/cookiemanager;1"].getService(Ci.nsICookieManager); var iter = cookieManager.enumerator, { nsICookie } = Ci; while (iter.hasMoreElements()) { var cookie = iter.getNext(); if (cookie instanceof nsICookie && cookie.name == name && cookie.host == host) { return cookie.value; } } return null; } It reads quoted values with quotes around them - which is obviously wrong. Seems, that only Tomcat respects the RFC :(. |