The javax.servlet.http.CookieNameValidator has multiple implementations. If the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system property is not specified, the javax.servlet.http.NetscapeValidator will be used in default. The NetscapeValidator allows HTTP separators (excluding semi-colon, comma and white space) in the cookie name. However, the Rfc6265CookieProcessor and the LegacyCookieProcessor do not allow HTTP separators in the cookie name. As a result, although Tomcat sends cookie header that include HTTP separators in the cookie name, the Tomcat can not receive the cookie header. I think that it lacks consistency. The CookieNameValidator and the CookieProcessor should be the consistency. On the other hand, the implementation of CookieNameValidator to use can be switched by the org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING system property, but can not be switched per Context, like the CookieProcessor. I think that setting of the CookieNameValidator per Context is more useful.
The CookieNameValidator can not be set per web application since it is set in the specification implementation and can, therefore, only be set globally. I have changed the default to the RFC6265 validator and restored the section of the docs that describe the STRICT_NAMING property. The fix has been applied to 9.0.x for 9.0.0.M7 onwards and 8.5.x for 8.5.3. onwards.
Created attachment 33955 [details] patch against trunk Hi Mark, Thank you for the fix. I think this fix of changing the default to the RFC6265Validator and restoring the description of STRICT_NAMING system property is correct, but the Javadoc of javax.servlet.http.Cookie and the description of STRICT_NAMING system property have not been updated. I have attached the patch.
Thanks. Docs update for 9.0.x and 8.5.x. The patch will be in 9.0.0.M9 and 8.5.4 onwards.