Bug 47825 - Setting Cookie with UTF-8 encoded value gives ServletException for 5.5.26+
Summary: Setting Cookie with UTF-8 encoded value gives ServletException for 5.5.26+
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.5.26
Hardware: PC All
: P3 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Keywords: ErrorMessage
Depends on:
Reported: 2009-09-11 07:56 UTC by Daniel Unfried
Modified: 2009-09-11 08:18 UTC (History)
0 users

simple Maven2 web project to reproduce the error (11.87 KB, application/zip)
2009-09-11 07:56 UTC, Daniel Unfried
trace log (2.66 KB, text/plain)
2009-09-11 07:58 UTC, Daniel Unfried

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Unfried 2009-09-11 07:56:55 UTC
Created attachment 24248 [details]
simple Maven2 web project to reproduce the error

Trying to do
  response.addCookie(new Cookie("cookie0", myData));
where myData is a UTF-8 String retrieved through request parameter, all 5.5
versions after and including 5.5.26 produce the following ServletException

javax.servlet.ServletException: Control character in cookie value, consider
BASE64 encoding your value

The instructions from http://wiki.apache.org/tomcat/FAQ/CharacterEncoding to
handle encodings correctly state:
 - Set URIEncoding="UTF-8" on your <Connector> in server.xml
 - Use a character encoding filter with the default encoding set to UTF-8
 - Change all your JSPs to set the correct Content-Type (use <%@page
contentType="mime/type; charset=UTF-8" %>)

Following these instructions I started out with vanilla installations of 5.25,
5.26, 5.27 and 5.28 on both Windows (Vista64) and Linux (Debian 5.0) using
jdk-1.5.0_12 with the only change from default configuration being the
URIEncoding set to UTF-8 in server.xml. By deploying the sample application
attached the error can be reproduced for 5.5.26+.
Comment 1 Daniel Unfried 2009-09-11 07:58:42 UTC
Created attachment 24249 [details]
trace log
Comment 2 Mark Thomas 2009-09-11 08:05:00 UTC
As the error message says, if you want to do that you'll need to encode the data, eg using Base64.
Comment 3 Daniel Unfried 2009-09-11 08:10:46 UTC
But why did the exact same thing work on 5.5.25? Is this some non-standard behavior? Is it just a coincidence it works? Would be great if you could shed some more light.
Comment 4 Mark Thomas 2009-09-11 08:18:20 UTC
Cookie handling is now stricter. Non-compliant cookies will get rejected.