Mark Thomas wrote: > Remy Maucherat wrote: >> On Wed, 2009-11-11 at 16:45 -0500, Mark Thomas wrote: >>> I really do loath cookies right now. I've pulled the proposed patches for >>> 5.5.x >>> and 6.0.x until I (or someone else) can take a look at this. >> I do too. v0 cookies is 15 years old stuff that Netscape hacked out of >> thin air without thinking at all, and seemingly nobody wants to upgrade >> since then :( >> >> The examples in the v1 spec (even the first one) are nice (everything is >> always quoted, it's easy and it avoids problems ...), but the problems >> occur if you try to enforce it (because the security folks ask for it) >> and have to keep v0 support at the same time. > > Getting back to your original concerns, what were these based on?
I've done some more digging and I think I have found what was causing this. I'll have a fix for trunk shortly and (after some testing) I'll re-propose. Mark > > You mentioned session cookies breaking because / gets treated as a separator. > / > only gets treated as a separator if you set > org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true (the default is false) or > you > set org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=true > (again > the default is false) > > My intention with this set of cookie patches was to: > - keep the current behaviour by default > - make STRICT_SERVLET_COMPLIANCE stricter (knowing this option on it's own may > break many browsers) > - provide additional options that let you disable those aspects of > STRICT_SERVLET_COMPLIANCE that cause compatibility issues > - add additional options (like allowing = in cookie values) that allow even > less > compliant usage > > The only place where the current behaviour should change is that single quote > is > no longer treated as a separator. I don't see that creating any issues. > > I have spotted a few issues in the patch where current behaviour does change. > I'll get those fixed and re-propose the patches. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
