> -----Original Message----- > From: Mladen Turk [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 07, 2005 10:09 AM > To: Tomcat Developers List > Subject: Re: [PATCH] Cookie, Cookie2 Header fix for mod_jk > > Andre Gebers wrote: > > Hi, > > > > newer versions of opera send the Cookie2-header along with the > > Cookie-header which looks somewhat like this: > > > > Right, but the patch would not work. > It would be a security hole, because the http rfc > diferentiates cookie from cookie2. > > Right now the Cookie2 header is passed as unknown header, > so it should work anyhow if the remote accepts the Cookie2. > IIRC it is not part of Servlet-spec, so it would not show > in javax.servlet.Cookie. >
I agree that the patch is simply masking the real problem. With the current mod_jk code what Tomcat sees is: Cookie: myCookie=1234 Cookie: $Version=1 which it should handle just fine. After the patch, it sees the correct headers, but ignores the Cookie2 one. So it looks like it's really a problem with multi-valued headers (but I don't see anything immediately jumping out at me in the code). > We would need to extend the AJP1.3 protocol to support > missing HTTP/1.1 features (the Cookie2 is not the only one). > > I'm in a process of proposing those additions, but it will > probably be inside jk3 (jk1.3). > > Thanks, > Mladen. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
