Tomcat 5.5.26 appears to be incorrectly parsing cookies whose name contains a colon (":"). The portion of the name that prefixes the colon remains, but the value for the cookie is an empty string. Tomcat 5.5.25 and earlier: -------------------------- HTTP request contains header: Cookie: JSESSIONID=87C7E668C6C15E2556C0977F6EAA9F4C; NFIS:profile=lang=en; DACS:NFIS:NRCAN:dlewis=usjp1tigSqakP8BnWv * When the HttpServletRequest.getCookies() is called, a Cookie[] is returned: Cookie: name="JSESSIONID", value="J87C7E668C6C15E2556C0977F6EAA9F4C" Cookie: name="NFIS:profile", value="lang:en" Cookie: name="DACS:NFIS:NRCAN:dlewis", value="usjp1tigSqakP8BnWv" Tomcat 5.5.26: -------------- HTTP request contains header: Cookie: JSESSIONID=87C7E668C6C15E2556C0977F6EAA9F4C; NFIS:profile=lang=en; DACS:NFIS:NRCAN:dlewis=usjp1tigSqakP8BnWv * When the HttpServletRequest.getCookies() is called, a Cookie[] is returned: Cookie: name="JSESSIONID", value="J87C7E668C6C15E2556C0977F6EAA9F4C" Cookie: name="NFIS", value="" Cookie: name="DACS", value="" This issue "breaks" many of the cookies that we use with our applications. The only solution (for now) is to use Tomcat 5.5.25.
*** This bug has been marked as a duplicate of bug 44679 ***
Bug 44679 is fixed.This bug (44705) will never be fixed because it's version 5.5.26 How can this bug be a duplicate of 44679, and yet it's not fixed?! It's better to change it to WONTFIX!
It is a dup because it is the same issue and the same fixes have been applied to 5.5.x and 6.0.x Generally, we use the same bug ID for the same issue across multiple versions. *** This bug has been marked as a duplicate of bug 44679 ***
I'm a little confused. This is solved for version 6, but what about tomcat 5.5. Is there going to be a release 5.5.27 which solves this bug?
Bugs are closed once the fix is applied to the source. Please stop re-opening this bug. It has been dealt with. *** This bug has been marked as a duplicate of bug 44679 ***
As per comment #5, is there a release date set for Tomcat 5.5.27? We have many servers that need upgrading - but right now we are still using 5.5.25.
Although the fix for this issue has been incorporated into the Tomcat 6.0.x stream, I gather from this post that is has not been incorporated into 5.5.27. https://issues.apache.org/bugzilla/show_bug.cgi?id=44679#c27 This oversight means that I cannot upgrade to a later version of Tomcat 5.5.x as my cookies break with all later versions newer than 5.5.25. I must upgrade to Tomcat 6.0.x. So why bother issuing further bug fixes for Tomcat 5.5.x! :-(
I have also issues with the new cookie parsing. In my case, a load balanced Tomcat 5.5.26 application configured to use AJP causes the JSESSIONID cookie to have the host and port number attached to it: JSESSIONID=A54351F6255622340BCCB76397C80A84.server01:8080 Unfortunately, this is now an illegal cookie and any application running on it experiences strange session recreation issues. Is there a way to format the session cookie differently?
As a workaround use server01-8080 for your jvmRoute rather than server01:8080
I have ported all the cookie changes from 6.0.x to 5.5.x. This is being tracked in bug 46597 so I am marking this issue as a dup of that one. *** This bug has been marked as a duplicate of bug 46597 ***