Bug 60627

Summary: Wrong cookie makes Rfc6265CookieProcessor ommit all following cookies
Product: Tomcat 8 Reporter: Ales Dolecek <ales_d>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: minor CC: michaelo
Priority: P2    
Version: 8.5.8   
Target Milestone: ----   
Hardware: PC   
OS: All   

Description Ales Dolecek 2017-01-23 10:52:16 UTC
Our client (NGi/GVP Media Control Platform (Build: 8.5.150.63)) sends following Cookie header with request:

Cookie: $Version="0"; JSESSIONID=3BE951FE7F4A2BA1A47390E6674256A3.WH5; $Path=/ivr-csob

The cookie is not processed however and new session is created. If the JSESSIONID cookie goes before the $Version cookie it understood.

The old LegacyCookieProcessor can understand it - so we have forced the application to use it.

I'm aware that the Cookie hewader is not RFC6265 compliant, but it would be nice if it tired to process all cookies specified in the header and not fail after first parsing error. From this point of view is the new processor less lenient thatn the old one.
Comment 1 Ales Dolecek 2017-01-23 16:09:45 UTC
The format used by the client is RFC 2109 or RFC 2965. So I guess it was probably dropped from Rfc6265CookieProcessor intentionally.
Comment 2 Mark Thomas 2017-01-23 17:03:54 UTC
The RFC6265 parser switches to RFC2109 rules if it sees $Version="1". It currently treats any other version as unknown and rejects the header.

We could configure the RFC6265 parser to parse version 0 either with the RFC2109 parser or the RFC6265 parser. I'm leaning towards RFC2109 but I'd like to give this a little more thought. Also, any feedback would be very welcome.
Comment 3 Mark Thomas 2017-01-27 20:15:42 UTC
Fixed in:
- trunk for 9.0.0.M18 onwards
- 8.5.x for 8.5.12 onwards