Cookie cookie = new Cookie(cookieName, cookieValue); cookie.setDomain("[::1]"); response.addCookie(cookie); java.lang.IllegalArgumentException: An invalid domain [[::1]] was specified for this cookie at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:213) ~[tomcat-coyote.jar:9.0.35] at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:153) ~[tomcat-coyote.jar:9.0.35] at org.apache.catalina.connector.Response.generateCookieString(Response.java:974) ~[catalina.jar:9.0.35] at org.apache.catalina.connector.Response.addCookie(Response.java:926) ~[catalina.jar:9.0.35] at org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:385) ~[catalina.jar:9.0.35]
https://tools.ietf.org/html/rfc2732 defines host = hostname | IPv4address | IPv6reference ipv6reference = "[" IPv6address "]"
Please see RFC 6265 for allowed values of the domain attribute.
(In reply to Mark Thomas from comment #2) > Please see RFC 6265 for allowed values of the domain attribute. There is a path to requesting IPv6, here: https://tools.ietf.org/html/rfc6265#section-4.1.1 ("Syntax"): " domain-value = <subdomain> ; defined in [RFC1034], Section 3.5, as ; enhanced by [RFC1123], Section 2.1 " https://tools.ietf.org/html/rfc1123#section-2.1 ("Host Names and Numbers"): " Whenever a user inputs the identity of an Internet host, it SHOULD be possible to enter either (1) a host domain name or (2) an IP address in dotted-decimal ("#.#.#.#") form. The host SHOULD check the string syntactically for a dotted-decimal number before looking it up in the Domain Name System. " This section does specify "user" as the source of the hostname, but since the user gets to choose the name they type into the browser, and therefore the "name of the host" they are contacting, an IP address seems like it should be legal. Entering localhost or 127.0.0.1 as the hostname should work (and Tomcat seems to handle this, because the IP address matches [a-zA-z0-9]+(\.[a-zA-z0-9]+)*. So I think maybe IPv6 should be allowed as well, no?
Created attachment 37270 [details] Chrome DevTools Chrome supports [::1] as cookie domain.
See section 5.1.3 of RFC 6265. It explicitly states that an IP address can not match a domain string.
FWIW, if there's something unclear abour RFC 6265, or if it doesn't describe browser behavior correctly, this should be raised at https://github.com/httpwg/http-extensions/labels/6265bis
(In reply to Mark Thomas from comment #5) > See section 5.1.3 of RFC 6265. It explicitly states that an IP address can > not match a domain string. +1 Thanks for the specific reference.