On Jan 18, 2014, at 2:50 AM, Mark Thomas <ma...@apache.org> wrote: > Signed PGP part > On 18/01/2014 04:34, Jeremy Boynes wrote: > > On Jan 15, 2014, at 2:38 AM, Mark Thomas <ma...@apache.org> wrote: > > > >> Does any one have anything else to add to > >> http://wiki.apache.org/tomcat/Cookies ? It feels like we should > >> be looking to make some decisions on where to go with this. > >> > >> My $0.02 to start this discussion is that we should adopt the all > >> of the proposed changes with the following notes: - C1 rather > >> C1a > > > > I have uploaded a patch for the Cxx changes here: > > http://people.apache.org/~jboynes/patches/cookie.patch It’s also > > linked off the wiki page. > > Generally +1. > > The build.xml change does not belong in the patch.
Sorry about that, bad changelist foo. > Formatting changes can be committed now, removing them from the patch > and making it easier to read. I will commit two changes now, one with formatting changes and another to convert from indexOf to BitSet without changing the existing functionality, and then post another candidate with the changes in behaviour. > I had to stop and think when looking at TOKEN. It is right but it > isn't 100% clear what is happening. I'd suggest using > TOKEN.set(32,127) and a comment on the separators list that \t is > already excluded but is included in the list for completeness. > > Use String.length() == 0 or String.isEmpty() consistently. > > I'm a little concerned about anonymous cookies. Is the browser support > consistent? Is anyone using them? I’ll double check but IIRC it was consistent across the ones I tried. I don’t have access at the moment to older browsers to check their behaviour. I’m presuming they are the same as I can’t believe anyone would have added this “feature" recently. If they are using them with Servlets they would need to jump through hoops as I don’t think other implementations allow null or empty names either. Our implementation maps these to name-only cookies but that results in an inconsistency with the browsers that will happily store two separate cookies for the two pairs «X=» and «X» and send both back. We know people actually use name-only cookies so I think we should prioritize support for the «X=» form (i.e. it gets be the Cookie with name == “X” and value == “"). We then have two options for the «X» form: 1) drop it 2) return it as the anonymous cookie For rfc2109 and rfc6265 modes, it is not a valid token so we would normally drop it as Netscape mode needs to be explicitly enabled. We could just do the same for Netscape mode which would be consistent but means there’s a cookie browsers will store that we can’t handle. Fidelity with the browser was why I was leaning toward allowing it but either option resolves the ambiguity with the actual name-only cookie. — Jeremy
signature.asc
Description: Message signed with OpenPGP using GPGMail
