Bug 55920 - Quotes should not be removed from quoted cookie values
Summary: Quotes should not be removed from quoted cookie values
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 8.0.x-trunk
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2013-12-22 21:19 UTC by Jeremy Boynes
Modified: 2014-10-07 08:43 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Boynes 2013-12-22 21:19:21 UTC
When a Cookie header is passed in "Netscape" format (with no RFC2109 $Version specified), quotation marks around the cookie value are stripped by Cookies#processCookieHeader.

As I read RFC2109, the user-agent is required to send a "cookie-version" at the start of the header. The "value" is defined by what was received in the SetCookie header from the server:
   The value of the cookie-version attribute must be the value from the
   Version attribute, if any, of the corresponding Set-Cookie response
   header.  Otherwise the value for cookie-version is 0.
RFC2965 has equivalent language.

RFC6265 (proposed) and Netscape do not require a "cookie-version" to be sent. RFC6265 defines "cookie-value" as including the DQUOTE characters and such a interpretation is consistent with Netscape.

User-agent support for RC2109/2965 seems limited. Initial testing with Chrome shows that it appears to retains quotation marks around cookie values even when RFC2109 Version=1 cookies are set.
Comment 1 Jeremy Boynes 2014-01-04 18:59:41 UTC
As an example, a cookie with value «"value"» (I'm using angled quotes in this comment for clarity) that is set using:
  Cookie cookie = new Cookie("test", "\"value\"");
will correctly set a cookie in the browser with the value «"value"»  that will then be returned to the server. However, when the value is retrieved using getCookies() and getValue() the string returned is just «value» 

However, if the value supplied is «a"b» then the value set in the browser becomes «"a\"b"» which does not match the value set. This will be returned to servers using the header:
Tomcat removes the leading and trailing quotes resulting a self-consistent round trip but other servers that treat this correctly as a V0 header will include those quotes in the value resulting in inconsistency.
Comment 2 Mark Thomas 2014-10-07 08:43:51 UTC
Fixed if using the Rfc6265CookieProcessor. I do not propose changing the LegacyCookieProcessor due to the risk of triggering regression issues for applications that rely on Tomcat's current behaviour.