On 11/11/2009 02:45 PM, Mark Thomas wrote:
Remy Maucherat wrote:
Hi,
I think cookies are still broken, and this is getting more and more
complex. The apparent issue is that the parser applies v1 parsing rules
when parsing v0 cookies (which are generated using a much more lenient
character exclusion), resulting in cookies that cannot be parsed back.
A simple example is a regular cookie session (!), where the path cannot
even be parsed back ('/' is now in the "specials" list).
Maybe we could parse as v0, and validate the bytes if the cookie turned
out to be v1 ?
I really do loath cookies right now.
I don't blame you.
I've pulled the proposed patches for 5.5.x
and 6.0.x until I (or someone else) can take a look at this.
Cookies, while the spec on v1 is somewhat clear, is a nasty can of
worms. Mostly cause user agents over the years have taken all kinds of
liberties. When J-F-C and myself refactored some of it a while ago, we
went through that whole exercise. It's not something you patch up and
throw out there. Even as careful we thought we were, we broke a
shitload, and then slowly added in some leniency towards the most common
user agent errors.
So I think your idea of waiting a bit is wise.
best
Filip
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
