Bug 59655 - The CookieNameValidator has issue that related to the consistency
Summary: The CookieNameValidator has issue that related to the consistency
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2016-06-02 08:35 UTC by Kyohei Nakamura
Modified: 2016-06-20 10:45 UTC (History)
0 users

patch against trunk (1.73 KB, patch)
2016-06-16 11:10 UTC, Kyohei Nakamura
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kyohei Nakamura 2016-06-02 08:35:19 UTC
The javax.servlet.http.CookieNameValidator has multiple implementations.
If the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system property is not specified, the javax.servlet.http.NetscapeValidator will be used in default.

The NetscapeValidator allows HTTP separators (excluding semi-colon, comma and white space) in the cookie name.
However, the Rfc6265CookieProcessor and the LegacyCookieProcessor do not allow HTTP separators in the cookie name.
As a result, although Tomcat sends cookie header that include HTTP separators in the cookie name, the Tomcat can not receive the cookie header.
I think that it lacks consistency.
The CookieNameValidator and the CookieProcessor should be the consistency.

On the other hand, the implementation of CookieNameValidator to use can be switched by the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system property, but can not be switched per Context, like the CookieProcessor.
I think that setting of the CookieNameValidator per Context is more useful.
Comment 1 Mark Thomas 2016-06-06 14:22:20 UTC
The CookieNameValidator can not be set per web application since it is set in the specification implementation and can, therefore, only be set globally. I have changed the default to the RFC6265 validator and restored the section of the docs that describe the STRICT_NAMING property.

The fix has been applied to 9.0.x for 9.0.0.M7 onwards and 8.5.x for 8.5.3. onwards.
Comment 2 Kyohei Nakamura 2016-06-16 11:10:25 UTC
Created attachment 33955 [details]
patch against trunk

Hi Mark,

Thank you for the fix.
I think this fix of changing the default to the RFC6265Validator and restoring the description of STRICT_NAMING system property is correct, but the Javadoc of javax.servlet.http.Cookie and the description of STRICT_NAMING system property have not been updated.
I have attached the patch.
Comment 3 Mark Thomas 2016-06-20 10:45:09 UTC
Thanks. Docs update for 9.0.x and 8.5.x. The patch will be in 9.0.0.M9 and 8.5.4 onwards.