https://issues.apache.org/bugzilla/show_bug.cgi?id=44679
--- Comment #34 from Peter Pichler <peter.pich...@csd.at> 2009-01-28 05:29:45 PST --- I asked the JSR315(Servlet 3.0)-team for a clarification in the next servlet spec... >>> Peter Pichler 28.01.09 14.14 Uhr -> jsr-315-comme...@jcp.org >>> Hello! I want to inform you about ambiguousness in the current Servlet-Spec, which was not corrected in the published draft java-doc for Servlet 3.0. My mail is motivated by a discussion with the tomcat developers (https://issues.apache.org/bugzilla/show_bug.cgi?id=44679#c29). !!! Maybe you find some time to post your point of view to this bug_report, which apache currently denies acceptance. Unofficially tomcat still has the status of a “reference implementation” of the Servlet spec… so I think it makes sense to help them improving their quality!!! Cookie-API and Cookie0 Spec / Discussion about changes made in tomcat 6.0.16-6.0.18: ======================================== Currently there is a great discussion in the tomcat-bugzilla... (https://issues.apache.org/bugzilla/show_bug.cgi?id=44679#c29) There are different points of view, but most parties agree, that the problems are provoked by inconsistencies in the Servlet-Spec. Problematic part of the servlet-spec: > public Cookie(java.lang.String name, java.lang.String value) > Constructs a cookie with a specified name and value. > The name must conform to RFC 2109. That means it can contain only ASCII > alphanumeric characters and cannot > contain commas, semicolons, or white space or begin with a $ character. The > cookie's name cannot be changed after > creation. > The value can be anything the server chooses to send. Its value is probably > of interest only to the server. > The cookie's value can be changed after creation with the setValue method. > .... >> public void setValue(java.lang.String newValue) > Assigns a new value to a cookie after the cookie is created. > With Version 0 cookies, values should not contain white space, brackets, parentheses, equals signs, commas, double > quotes, slashes, question marks, at signs, colons, and semicolons. Empty values may not behave the same way on all > browsers. Constructor: The sentence in the constructor "The value can be anything the server chooses to send" is definitely too much... setValue: The BASE64 charset contains the slash and the equal mark... So the spec recommends base64 for binary information in the first sentence... and says it is not recommended in the second sentence... __________ Proposal: ====== (REM You will have to translate following text from Austrian-English to real English... ) Constructor: Replace: the text: "The value can be anything the server chooses to send. Its value is probably of interest only to the server.” by "The allowed character set for cookie values depends on the cookie version used. (see setValue(...) for details)" Use following text to explain Cookie.setValue(...) for Version 0 "Following characters may not be used for a cookie0 value: * RFC2616-CTL characters (ASCII 0-31 and 127; forbidden characters for extension HTTP headers) * Semi-colon, comma and white space (explicitly forbidden by the cookie0 draft) If you use a binary value, you may want to use BASE64 encoding." _________________ Two further proposals for the next versions of the servlet-spec Cookie1: ====== Fact: Cookie1-RFC (Released: 1997) has been invalidated by Cookie2 (released 2000). So the comment for Cookie.setVersion(...) is obsolete too and should be changed. Replace “Since RFC 2109 is still somewhat new, consider version 1 as experimental; do not use it yet on production sites." by "RFC 2109 (Cookie-1) has been obsoleted by RFC 2965 (Cookie-2); do not use it on production sites". Cookie2: ====== >From my point of view the cookie2-Spec looks suitable. Of course browser support is week until now, but that can change quickly. The servlet spec should definitely support RFC2965 cookies. Cookies and HttpOnly ================= Microsoft defined this cookie feature outside any RFC. (See http://msdn.microsoft.com/en-us/library/ms533046.aspx). It is a useful additional security feature for cookies also supported by Mozilla and Opera. Currently it is not possible to create HttpOnly Cookies using the servlet API. The HttpOnly feature complicates the usage of malicious Client-Side-Cross-Side-Scripting within HTML application. Security Reviews of applications may claim to use this feature… and it is more work to argue against it, than to implement the cookie handling… Yours sincerely Peter Pichler -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
