Bug 60627 - Wrong cookie makes Rfc6265CookieProcessor ommit all following cookies
Summary: Wrong cookie makes Rfc6265CookieProcessor ommit all following cookies
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.8
Hardware: PC All
: P2 minor (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2017-01-23 10:52 UTC by Ales Dolecek
Modified: 2017-01-27 20:15 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Ales Dolecek 2017-01-23 10:52:16 UTC
Our client (NGi/GVP Media Control Platform (Build: sends following Cookie header with request:

Cookie: $Version="0"; JSESSIONID=3BE951FE7F4A2BA1A47390E6674256A3.WH5; $Path=/ivr-csob

The cookie is not processed however and new session is created. If the JSESSIONID cookie goes before the $Version cookie it understood.

The old LegacyCookieProcessor can understand it - so we have forced the application to use it.

I'm aware that the Cookie hewader is not RFC6265 compliant, but it would be nice if it tired to process all cookies specified in the header and not fail after first parsing error. From this point of view is the new processor less lenient thatn the old one.
Comment 1 Ales Dolecek 2017-01-23 16:09:45 UTC
The format used by the client is RFC 2109 or RFC 2965. So I guess it was probably dropped from Rfc6265CookieProcessor intentionally.
Comment 2 Mark Thomas 2017-01-23 17:03:54 UTC
The RFC6265 parser switches to RFC2109 rules if it sees $Version="1". It currently treats any other version as unknown and rejects the header.

We could configure the RFC6265 parser to parse version 0 either with the RFC2109 parser or the RFC6265 parser. I'm leaning towards RFC2109 but I'd like to give this a little more thought. Also, any feedback would be very welcome.
Comment 3 Mark Thomas 2017-01-27 20:15:42 UTC
Fixed in:
- trunk for 9.0.0.M18 onwards
- 8.5.x for 8.5.12 onwards