https://issues.apache.org/bugzilla/show_bug.cgi?id=44679
--- Comment #31 from Peter Pichler <peter.pich...@csd.at> 2009-01-26 12:06:15 PST --- 1-3) Browser Support for cookie values containing "=" ================================================ I have a lot of experience with using base64 encoded binary information in cookie values. We use it since at least three years with serval 100000 requests per hour from all brosers imaginabel. There is no browser or other HTTP component (Content-Switch, proxy,firewall,...)I know, which does not support the "=" character in cookie0 values. (if you know one except the newer versions of the tomcat servlet engine... please tell me) Beside... cookie0 spec allows "=" mark in cookie0 value... so it would be a problem of the browser, if this char would not be supported... An "=" character in a cookie0 value does not produce an ambiguity ================================================================= >From the beginning to the first "=" mark it is the cookie name... The value starts at the first char after the "=" mark an ends when an semicolon (;) appears (or at the end of the line). I see no problems to determinate a distinct interpretation of a cookie0 Header, if there is an equal mark character in its value. Please correct me, if I forgot anything... RFC2109 ======= It is not ok to argue with RFC2109, when we are talking about version0 cookies... As already mentioned... RFC2109 has been obsoleted by RFC 2965... So it make no sense to argue with this RFC in any case Chapter Abstract first page of RFC2965 !!!! This document reflects implementation experience with RFC 2109 and obsoletes it. !!!! I agree... the basic problem is in the servlet spec =================================================== You are right... the basic problem is the servlet spec. They still refer the obsoleted Cookie1 RFC and ignore the actual spec RFC2965. (further inconsitancies should be corrected; like saying "use base64 encoding for binary information" in the first sentence" and "you should not use characters like ... slash, the equal mark,..." in the next sentence...) I do not want to bother you... I want to help to improve the quality of the tomcat engine... I think tomcat should support cookie0 with all its features,... (It is a horror, that a .NET and a tomcat application can not share information with a base64 encoded cookie... not because .NET is so week... but because tomcat is not able to handle cookie0 values, containing a "="). I will not reopen this bug again, cause I do not have new arguments. (I do not understand, why this bug has been closed.... but I do not have the time to play the reopen-close game...). Please read again my arguments and think about reopening this bug... Especially because you are trying to solve security issues, you should take care on backward compatibility... (when writing a new HTML-app its no problem, to URL-Encode cookie-values...) -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
