Bug 36863 - Space seperated cookie value text returned in quotes
Summary: Space seperated cookie value text returned in quotes
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Unknown (show other bugs)
Version: 5.5.7
Hardware: PC Windows 2000
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2005-09-29 16:53 UTC by Kevin
Modified: 2005-12-11 21:57 UTC (History)
0 users

web application (17.31 KB, application/x-zip-compressed)
2005-12-02 03:53 UTC, Steve

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin 2005-09-29 16:53:01 UTC
Multiple word phrases (like Online Query) saved in a cookie are quoted when
retrieved. See example below ...

  Online Query

Click Submit. Submit saves the value in a cookie to be later used in search.

Return to search page which will fetch cookie value and place in appropriate
input box. The value is now displayed as:

"Online Query" 

Granted that this is the integrated version of Tomcat in Netbeans but I wanted
to report this here as well as with Netbeans.

Using JSDK 1.4.2_08

Comment 1 Yoav Shapira 2005-10-17 00:45:49 UTC
I don't think it's a Tomcat bug.  You can look and test the simple cookie
example servlet that ships with Tomcat to see for yourself.
Comment 2 Steve 2005-12-01 04:34:52 UTC

I want to re-open this case because I'm running into the same problem.  I'm 
porting a large app to tomcat and can't go any further until this is fixed.

I've written a separate app that contains a jsp file with a form and a 
servlet.  That's it.  All the servlet does is set the cookie and include the 

If I use a cookie value without spaces then then there are no quotes.  If I 
use a value with spaces than quotes are automatically put around the value.  I 
also get the same results with commas.  I have not tried any other characters.

I would like to help get this resolved, so please feel free to contact me 
about this.

Thank you,

Comment 3 Yoav Shapira 2005-12-01 05:03:19 UTC
Please attach the minimal WAR you mention with the one servlet and JSP to this
issue so that we can reproduce your results.

Please confirm your report is true for an out-of-the-box Tomcat 5.5.12
installation in stand-alone mode, i.e. without NetBeans or another IDE.

Please confirm that the cookie example servlet that ships with Tomcat does NOT
show quotes on your screen.  It doesn't for me, which is why this issue was
initially closed, but perhaps it strips out the quotes along the way.

Then, if you really want to help, a patch would be nice ;)
Comment 4 Steve 2005-12-02 03:53:29 UTC
Created attachment 17118 [details]
web application

After submitting the form.  check your cookie values.  It is a session cookie
so it will disappear after you close your browser.
Comment 5 Steve 2005-12-02 04:13:09 UTC

I've downloaded 5.5.12 and have tested the app and it acts the same way as the 
other version.

Can you direct me to the package(s) that handle the tomcat cookie parsing?  
I'm going to need a little direction since I haven't done any core tomcat 

Thank you.
Comment 6 william.barker 2005-12-02 05:50:22 UTC
(In reply to comment #5)
> Hello,
> I've downloaded 5.5.12 and have tested the app and it acts the same way as 
> other version.
> Can you direct me to the package(s) that handle the tomcat cookie parsing?  
> I'm going to need a little direction since I haven't done any core tomcat 
> development.
> Thank you.

It's in o.a.t.u.http.ServerCookie.  You'll find it under connectors/util/java 
in the source distro.

Comment 7 VickyKak 2005-12-05 12:19:55 UTC
Please have a look at the following specs 
http://www.faqs.org/rfcs/rfc2068.html , 
If the cookies contains the special characters they should be quoted , that is
what have been implemented .
Comment 8 Kevin 2005-12-05 16:14:01 UTC

Could you be so kind as to point out which section? 

Comment 9 Steve 2005-12-06 02:00:32 UTC

Do you believe that if I set a cookie to a certain value in an application, 
then when I go to read the cookie, I should be given the same value that I set 
or a different value?  I believe that if I set the cookie value to a,b,c,d,e 
then I should get a,b,c,d,e returned back to me when I read the cookie.  In my 
applications, I should not have to take into considderation that the cookie 
may have been escaped.  The application server should take care of that for me.

Do you agree?
Comment 10 Steve 2005-12-06 02:01:43 UTC

I'm going to read into this rfc a little and continue to research it.

Thank you.
Comment 11 Steve 2005-12-06 02:26:04 UTC

I've just looked at the rfc you've pointed me to and I think you are referring 
to section 2.2.  That is the section where they talk about basic rule about 
constructing a http header.  From my understanding of the rfc, if a http 
header value contains special characters then the http header value needs to 
be quoted to escape it.

I set the cookie and monitored the output of the http header.  This is what I 

Set-Cookie: ServletCookieVar="asfasf asdf asf asdf"

By the looks of it,  You're not quoting the http header value.  You're quoting 
the cookie value.  If you were to quote the header value, then the header 
would look like this.  Notice the position of the quotes.

Set-Cookie: "ServletCookieVar=asfasf asdf asf asdf"

Am I correct to assume that this is what the header should look like?

Does this seem correct or am I reading the wrong part of the rfc?



Comment 12 Steve 2005-12-06 02:32:05 UTC
I seem to be saying sorry al lot.

I guess I shouldn't say yours.  You're probably not the person that wrote that 
code, so please do not think I'm attacking you.  I'm just trying to justify 
what's happening and fix the bug ASAP.

Also,  I'm not attacking the person who did write the code.  It's all in how 
the person interprets the rfc.

Thank you,

Comment 13 william.barker 2005-12-06 04:17:28 UTC
This is fixed now in SVN trunk, and hopefully will even make the cutoff for 
inclusion in 5.5.14.
Comment 14 Steve 2005-12-06 16:55:27 UTC

Thank you very much for taking care of it.  I was looking at the class you 
pointed me to but have not had enough time to narrow down exactly which methods 
I needed to modify.

Thank you,

Comment 15 VickyKak 2005-12-12 06:57:05 UTC
Hi Steave,
As pointed by Willaim that the fix will come with 5.5.14 I think you will have
to wait till that. I can understand this to be a critical requirement for you so
I think we can ask William for the changes for the fix so that you can apply it
, but this will be a bit of risk  . 
Now looking at the code I can understand that 
1) Some changes to me made at appendCookieValue method , precisely at 
     buf.append( name );
     maybeQuote(version, buf, value);
The appendCookieValue gets called from the addCookie of the
org.apache.catalina.connector.Response , you make a call to this when you are
adding a cookie .

2) maybeQuote is having a version parameter which is not used at all , can this
be removed too ? This is not relevant to this bug .

I have done just a initial investigation. 
BTW are the changes done to this bug or it is yet to be done , incase of later
then I think we can help Steave and the same changes can be committed to CVS for
Tomcat 5.5.14