Created attachment 33833 [details] patch against trunk When the value of cookie includes slash character ('/') and the cookie version is 0, the org.apache.tomcat.util.http.LegacyCookieProcessor don't handle them correctly. If the allowHttpSepsInV0 attribute set to false and the forwardSlashIsSeparator attribute set to true, the cookie value should be quoted. However, it is not quoted. If the allowHttpSepsInV0 attribute is false and the forwardSlashIsSeparator attribute is true, allowedWithoutQuotes.clear('/') should be called.
Thanks for the report and the patch. This has been fixed in: 9.0.x for 9.0.0.M5 onwards 8.5.x for 8.5.1 onwards 8.0.x for 8.0.34 onwards 7.0.x and earlier was not affected.