Bug 46403 - Persistent cookies written by 6.0.18 do not work in Internet Explorer or Safari
Summary: Persistent cookies written by 6.0.18 do not work in Internet Explorer or Safari
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 6.0.18
Hardware: PC Linux
: P2 major (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL: http://cephas.net/blog/2008/11/18/tom...
Depends on:
Reported: 2008-12-15 13:46 UTC by Matt Wiseley
Modified: 2010-05-26 10:59 UTC (History)
0 users

Simple JSP that reproduces the behavior. (616 bytes, text/plain)
2008-12-15 17:52 UTC, Matt Wiseley
Patch to always include Expires parameter regardless of version (1.68 KB, patch)
2008-12-15 19:26 UTC, Matt Wiseley
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Wiseley 2008-12-15 13:46:47 UTC
This blog post shows up in Google when searching for this problem, and is a better explanation that I can give here:


To summarize, in 6.0.18, the way Tomcat writes persistent cookie headers was changed from:

Set-Cookie: yankeessuck=YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw==; Expires=Thu, 19-Nov-2009 02:29:29 GMT;


Set-Cookie: yankeessuck="YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw=="; Version=1; Max-Age=31536000;

The value was enclosed in quotes, a "Version=1" parameter was added, and the Expires parameter was replaced with a Max-Age parameter.

Though cookies are written correctly to specification, Internet Explorer (6 and 7) and Safari do not support the Max-Age parameter. As a result, an application writing persistent cookies in this version of Tomcat won't work for Internet Explorer or Safari.
Comment 1 Matt Wiseley 2008-12-15 17:52:34 UTC
Created attachment 23027 [details]
Simple JSP that reproduces the behavior.
Comment 2 Matt Wiseley 2008-12-15 19:26:41 UTC
Created attachment 23028 [details]
Patch to always include Expires parameter regardless of version

This patch adds the Expires cookie parameter in addition to the Max-Age parameter. Though not technically to the cookies spec, it works. Tested in Google Chrome, Firefox 3.0 and IE7.
Comment 3 Mark Thomas 2008-12-23 05:19:48 UTC
For completeness, the cookie parsing changes were required to correct various security vulnerabilities.

I really don't like the idea of adding work arounds to Tomcat for bugs in other software but I don't see a choice here.

I have applied a variation of your patch to trunk and proposed it for 6.0.x. The variation is making the addition of the expires header optional.

There are occassional ASF/MS get togethers where issues like this can be raised (and hopefully fixed). I have a list of things to raise at the next one and I've added this to it. As far as I am aware there are no dates set for the next get together so don't expect an IE fix any time soon.
Comment 4 Mark Thomas 2008-12-27 11:52:36 UTC
This has been fixed in 6.0.x and will be included in 6.0.19 onwards.
Comment 5 novoj 2010-05-26 10:59:30 UTC
The problem is also with Firefox 3.6.3 and Tomcat 6.0.26. When reading Cookie via Firefox API:

function getCookie(name, host) {
        var cookieManager = Cc["@mozilla.org/cookiemanager;1"].getService(Ci.nsICookieManager);
        var iter = cookieManager.enumerator, {
    = Ci;
    while (iter.hasMoreElements()) {
        var cookie = iter.getNext();
        if (cookie instanceof nsICookie && cookie.name == name && cookie.host == host) {
            return cookie.value;
    return null;

It reads quoted values with quotes around them - which is obviously wrong. Seems, that only Tomcat respects the RFC :(.