Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "Cookies" page has been changed by jboynes: https://wiki.apache.org/tomcat/Cookies?action=diff&rev1=17&rev2=18 = Cookies = == Parsing the Cookie header by Tomcat == + The various specifications define the following formats for the Cookie header sent by the user-agent: + ||'''Specification'''||'''Format of Cookie header'''|| + ||Netscape||{{{Cookie: NAME1=OPAQUE_STRING1; NAME2=OPAQUE_STRING2 ...}}}|| + ||RFC2109||{{{"Cookie:" "$Version" "=" value 1*((";" | ",") cookie-value)}}}|| + ||RFC6265||{{{"Cookie:" OWS cookie-pair *( ";" SP cookie-pair ) OWS}}}|| + + Chrome-31, Firefox-26, Firefox Aurora-28, Internet Explorer-11 and Safari-7.01 all send a single header in Netscape/RFC6265 format with name=value pairs separated by semicolon and space. The name and value correspond to whatever was stored in the browser when the "Set-Cookie" header was parsed. These may contain commas, spaces, other separators or 8-bit characters. + + None of them add any of the "$" attributes ("$Version" "$Domain" or "$Path) from RFC2109 and specifically do not send the leading "$Version" attribute that is part of that specification's syntax. All except Safari support a unnamed "value-only" cookie that is sent as is (without a name or "="); i.e. a unnamed cookie with value "foo" (including quotes) is sent as the line: + {{{ + Cookie: "foo" + }}} + + When set through !JavaScript, any Unicode codepoints in the text are encoded as UTF-8 in the header. For example, in Chrome the statement {{{document.cookie = "foo=b\u00e1r";}}} will result in a header containing the octets + {{{ + 43 6f 6f 6b 69 65 3a 20 66 6f 6f 3d 62 c3 a1 72 + }}} + showing codepoint U+00E1 being converted to its UTF-8 equivalent 0xC3 0xA1. This matches the behaviour defined by [[http://www.w3.org/html/wg/drafts/html/master/single-page.html#cookie|HTML5.]] ||'''Issue'''||'''Current behaviour (8.0.0-RC10/7.0.50)'''||'''Proposed new behaviour'''||'''Servlet + Netscape + RFC2109'''||'''Servlet + RFC 6265'''|| ||0x80 to 0xFF in cookie value ([[https://issues.apache.org/bugzilla/show_bug.cgi?id=55917|Bug 55917]])||IAE||TBD||Netscape yes. RFC2109 requires quotes.||RFC 6265 never allowed.|| @@ -95, +113 @@ TEXT = <any OCTET except CTLs, but including LWS> rfc1123-date = wkday "," SP date1 SP time SP "GMT" }}} + == RFC2109 definitions == + {{{ + cookie-value = NAME "=" VALUE [";" path] [";" domain] + }}} == RFC6265 definitions == {{{ + cookie-pair = cookie-name "=" cookie-value cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E domain-value = <subdomain> ; defined in [RFC1034], Section 3.5, as enhanced by [RFC1123], Section 2.1 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
