On 26/08/2024 15:14, Christopher Schultz wrote:
All,
On 8/16/24 11:25, Mark Thomas wrote:
On 16/08/2024 13:40, Tim Funk wrote:
How about missingEqualsCookie="allow | ignore"?
The proposed options were:
- ignore
- name
- value
By using [allow | ignore] instead of yes/no, it opens the door to
additional behaviors. (such as reject which triggers a http error)
Agreed.
I think maybe we should couple this new configuration attribute with an
enabled-by-default Valve (maybe only in 11/12, disabled-by-default in
9/10) that detects empty cookie names and throws an exception and/or
returns a 400 response.
"ignore" should remove the cookie entirely and allow requests containing
these to be serviced. Using the "value" option with this Valve enabled
would cause a 400 response.
Or it could be worked-into an existing Valve/Filter such as the
HttpHeaderSecurityFilter or similar.
Or we could add a "reject" option to the configuration setting that
triggered an exception.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
