https://issues.apache.org/bugzilla/show_bug.cgi?id=48559
Mark Thomas <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID --- Comment #1 from Mark Thomas <[email protected]> 2010-01-17 10:18:30 GMT --- The fix for CVE-2007-5333 essentially made Tomcat apply the various cookie specifications more strictly. Where we can safely do so, options have been added to reduce the strictness of these checks. The '=' characters that can appear in base64 data will cause the quoting. A new option will be included in the next 6.0.x release that allows = to be used without the quotes being added. This may help. The quotes should be transparent to applications that set and read cookie values through the Servlet API. If they are not, that is probably a bug in Tomcat. Applications that read and set cookies directly should be able to handle specification compliant cookies. If they cannot, that is probably a bug in those applications. Depending on circumstances, one option may be to bypass the Servlet API and set/read the cookie headers directly. Again, applications that do this should be specification compliant, although they can break the specs at their own risk. If you need assistance with a specific case, please ask - with examples - on the Tomcat users mailing list. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
