Bug 60208

Summary: Regression: Cookies whose names match the web application context are now missing from request.getCookies() result
Product: Tomcat 8 Reporter: Réda Housni Alaoui <reda.housnialaoui>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: blocker    
Priority: P2    
Version: 8.5.5   
Target Milestone: ----   
Hardware: PC   
OS: Linux   

Description Réda Housni Alaoui 2016-10-05 22:01:22 UTC 
Suppose I have an application running at context path '/my-webapp'.
Then I create a basic cookie with name '/my-webapp'.

With Tomcat 8.0.33:
When I try to retrieve it from the application with request.getCookies(), the cookie is present.

With Tomcat 8.5.5:
When I try to retrieve it from the application with request.getCookies(), the cookie is missing.

All tests were run on Chrome and Firefox. Both browsers always send the wanted cookie according to their developer panels.
Comment 1 Mark Thomas 2016-10-06 07:21:43 UTC 
As of Tomcat 8.5.x, cookies are processed as per RFC6265.

'/' is not a valid character for a cookie name in RFC6265 so the cookie will be ignored.

You have the option of fixing the broken cookie or configuring Tomcat to use the legacy cookie parser.

Further support is available from the Tomcat users mailing list.
Comment 2 Réda Housni Alaoui 2016-10-06 08:16:56 UTC 
Hello,

Ok I understand.

But why does Tomcat 8.5.5 correctly create the cookie with '/' in its name when the application asks it?
Don't you think an exception should be thrown at cookie creation in this case?

I think this behaviour lack of consistency.
Comment 3 Mark Thomas 2016-10-06 08:42:16 UTC 
Agreed. Generation and parsing should be consistent. '/' was an edge case that wasn't handled correctly. I'll get that fixed.
Comment 4 Mark Thomas 2016-10-06 08:47:50 UTC 
This has been fixed in the following branches:
- 9.0.x for 9.0.0.M11 onwards
- 8.5.x for 8.5.6 onwards
Comment 5 Réda Housni Alaoui 2016-10-06 09:57:24 UTC 
Thank you