Suppose I have an application running at context path '/my-webapp'. Then I create a basic cookie with name '/my-webapp'. With Tomcat 8.0.33: When I try to retrieve it from the application with request.getCookies(), the cookie is present. With Tomcat 8.5.5: When I try to retrieve it from the application with request.getCookies(), the cookie is missing. All tests were run on Chrome and Firefox. Both browsers always send the wanted cookie according to their developer panels.
As of Tomcat 8.5.x, cookies are processed as per RFC6265. '/' is not a valid character for a cookie name in RFC6265 so the cookie will be ignored. You have the option of fixing the broken cookie or configuring Tomcat to use the legacy cookie parser. Further support is available from the Tomcat users mailing list.
Hello, Ok I understand. But why does Tomcat 8.5.5 correctly create the cookie with '/' in its name when the application asks it? Don't you think an exception should be thrown at cookie creation in this case? I think this behaviour lack of consistency.
Agreed. Generation and parsing should be consistent. '/' was an edge case that wasn't handled correctly. I'll get that fixed.
This has been fixed in the following branches: - 9.0.x for 9.0.0.M11 onwards - 8.5.x for 8.5.6 onwards
Thank you