Remy Maucherat wrote: > On Wed, 2009-11-11 at 16:45 -0500, Mark Thomas wrote: >> I really do loath cookies right now. I've pulled the proposed patches for >> 5.5.x >> and 6.0.x until I (or someone else) can take a look at this. > > I do too. v0 cookies is 15 years old stuff that Netscape hacked out of > thin air without thinking at all, and seemingly nobody wants to upgrade > since then :( > > The examples in the v1 spec (even the first one) are nice (everything is > always quoted, it's easy and it avoids problems ...), but the problems > occur if you try to enforce it (because the security folks ask for it) > and have to keep v0 support at the same time.
Getting back to your original concerns, what were these based on? You mentioned session cookies breaking because / gets treated as a separator. / only gets treated as a separator if you set org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true (the default is false) or you set org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=true (again the default is false) My intention with this set of cookie patches was to: - keep the current behaviour by default - make STRICT_SERVLET_COMPLIANCE stricter (knowing this option on it's own may break many browsers) - provide additional options that let you disable those aspects of STRICT_SERVLET_COMPLIANCE that cause compatibility issues - add additional options (like allowing = in cookie values) that allow even less compliant usage The only place where the current behaviour should change is that single quote is no longer treated as a separator. I don't see that creating any issues. I have spotted a few issues in the patch where current behaviour does change. I'll get those fixed and re-propose the patches. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
