|Summary:||The CookieNameValidator has issue that related to the consistency|
|Product:||Tomcat 9||Reporter:||Kyohei Nakamura <nakamura.kyohei.lab>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
|Attachments:||patch against trunk|
Description Kyohei Nakamura 2016-06-02 08:35:19 UTC
The javax.servlet.http.CookieNameValidator has multiple implementations. If the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system property is not specified, the javax.servlet.http.NetscapeValidator will be used in default. The NetscapeValidator allows HTTP separators (excluding semi-colon, comma and white space) in the cookie name. However, the Rfc6265CookieProcessor and the LegacyCookieProcessor do not allow HTTP separators in the cookie name. As a result, although Tomcat sends cookie header that include HTTP separators in the cookie name, the Tomcat can not receive the cookie header. I think that it lacks consistency. The CookieNameValidator and the CookieProcessor should be the consistency. On the other hand, the implementation of CookieNameValidator to use can be switched by the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system property, but can not be switched per Context, like the CookieProcessor. I think that setting of the CookieNameValidator per Context is more useful.
Comment 1 Mark Thomas 2016-06-06 14:22:20 UTC
The CookieNameValidator can not be set per web application since it is set in the specification implementation and can, therefore, only be set globally. I have changed the default to the RFC6265 validator and restored the section of the docs that describe the STRICT_NAMING property. The fix has been applied to 9.0.x for 9.0.0.M7 onwards and 8.5.x for 8.5.3. onwards.
Comment 2 Kyohei Nakamura 2016-06-16 11:10:25 UTC
Created attachment 33955 [details] patch against trunk Hi Mark, Thank you for the fix. I think this fix of changing the default to the RFC6265Validator and restoring the description of STRICT_NAMING system property is correct, but the Javadoc of javax.servlet.http.Cookie and the description of STRICT_NAMING system property have not been updated. I have attached the patch.
Comment 3 Mark Thomas 2016-06-20 10:45:09 UTC
Thanks. Docs update for 9.0.x and 8.5.x. The patch will be in 9.0.0.M9 and 8.5.4 onwards.