This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 8c6a6454c1 Expand comment
8c6a6454c1 is described below
commit 8c6a6454c12e1935ac1d11daf17b169da573f913
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Aug 13 10:00:52 2025 +0100
Expand comment
This is largely an attempt to save me (and any one else) time in the
future when they wonder why things are the way they are.
---
.../tomcat/util/http/CookiesWithoutEquals.java | 43 ++++++++++++++++++++--
1 file changed, 39 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/tomcat/util/http/CookiesWithoutEquals.java
b/java/org/apache/tomcat/util/http/CookiesWithoutEquals.java
index a1fca34065..5cb86949bb 100644
--- a/java/org/apache/tomcat/util/http/CookiesWithoutEquals.java
+++ b/java/org/apache/tomcat/util/http/CookiesWithoutEquals.java
@@ -27,10 +27,45 @@ public enum CookiesWithoutEquals {
* There is no VALUE option since the Servlet specification does not
permit the creation of a Cookie with a name
* that is either null or the zero length string.
*
- * The historical intention (from the user agent perspective) of using a
name-value-pair without an equals sign has
- * been to indicate a cookie with a name but no value. Tomcat has done the
opposite. The current RFC6265bis text
- * treats a name-value-pair without an equals sign as a cookie with a
value but no name. Supporting this will
- * require changes to the Servlet specification.
+ * In RFC 2019, cookie name and value were defined as follows:
+ * cookie = NAME "=" VALUE *(";" cookie-av)
+ * NAME = attr
+ * VALUE = value
+ * attr = token
+ * value = word
+ * And from RFC 2068
+ * token = 1*<any CHAR except CTLs or tspecials>
+ * word = *TEXT
+ * Set-Cookie and Cookie used the same definition.
+ * Name had to be at least one character, equals sign was required, value
could be the empty string.
+ *
+ * In RFC 2965, the definition of value changed to:
+ * value = token | quoted-string
+ * Set-Cookie2 and Cookie use the same definition.
+ * Name had to be at least one character, equals sign was required, value
could not be the empty string (it could
+ * be "").
+ *
+ * In RFC6265, which aimed to document actual usage, cookie name and value
are defined as follows:
+ * cookie-pair = cookie-name "=" cookie-value
+ * cookie-name = token
+ * cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
+ * For the user agent, the equals sign was required and cookies with no
name were ignored.
+ *
+ * In RFC6265bis, the definitions are unchanged.
+ * For the user agent:
+ * - a name-value-pair without an equals sign is treated as the value of
a cookie with an empty name.
+ * - both empty name and empty value are allowed but if both are empty
the cookie will be ignored.
+ *
+ * To see how RFC6265 arrived at his behaviour, see:
+ * https://github.com/httpwg/http-extensions/issues/159
+ *
+ * Historically, the users agents settled on using a name-value-pair
without an equals sign to indicate a cookie
+ * with a value but no name. Tomcat did the opposite. That arose from
addressing this bug:
+ * https://bz.apache.org/bugzilla/show_bug.cgi?id=49000 which was based on
observed but not understood client
+ * behaviour.
+ *
+ * The current RFC6265bis text explicitly treats a name-value-pair without
an equals sign as a cookie with a value
+ * but no name. There are currently no plans for the Servlet specification
to support nameless cookies.
*/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
