Dillon Sellars wrote: > read non-standard cookies set by 3rd parties. In my case, the cookie value > in not enclosed in double quotes has a couple of spaces in it, so tomcat > 6.0.16 and above read the cookie value to the first space. There are a > couple other comments in bugs about problems with cookie names with colons > and the common base64 encoded string with the trailing =. > There was some talk about adding configuration options to Tomcat to handle > specific cases. I was thinking about allowing lenient cookie parsing at the > context level or globally by defining the separator characters as ',' and > ';' when parsing cookie values (this appears to be the Tomcat > 6.0.14 behavior). As mentioned in the 44679 bug the there were security > concerns with pre-6.0.16 cookie parsing - will the security concerns / > browser issues return with this approach? If so, does it makes sense to > perform lenient cookie parsing for specific cookie names to limit the > security risk? This would not really help people with cookie name problems > and would likely impact cookie parsing performance. I don't see a > particularly elegant solution emerging. Thoughts?
1. Lobby the vendors of the third party services to provide spec compliant cookies. In your case, including spaces in the value is a clear violation of the spec so you should have a strong case. 2. I would prefer not to change the cookie parsing code. I suspect the type of changes you are suggestion would be quite invasive as the various static constants would no longer be constant. 3. For broken cookies that Tomcat won't parse, you can always parse the cookie header yourself. I'd look at what you could do in a filter to read the header and then fix it. If I get a chance I'll take a look at writing an example to do this. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
