Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "Cookies" page has been changed by jboynes: https://wiki.apache.org/tomcat/Cookies?action=diff&rev1=30&rev2=31 Comment: Update implementation progress and link to a new set of patches ##language:en = Cookies = + + == Implementation Progress == + I started work on this in a local branch. Patches for the changes made there can be found here: + http://people.apache.org/~jboynes/patches/ + There is substantial refactoring in there to simply the current implementation. Actual changes are: + * C3 '=' is now disallowed in Netscape cookie names (it was already not allowed in RFC2109 names) + * C4 Attribute names are allowed as cookies names + * Cookie names starting with '$' are allowed in Netscape and RFC6265 mode and will still throw an IAE in RFC2109 mode == Round Trip Behaviour == The following tables document how a value is sent in a Set-Cookie header, what gets stored by a typical browser, the Cookie header that is generated by the browser and then the final value returned to a Servlet application. @@ -56, +64 @@ C5 Allow unnamed cookies in C1b "netscape" mode:: :: Allow cookies whose name is null or the empty string. Browsers will store a single cookie that has no name whose value is sent as simply «value» (i.e. without any '=' delimiter). This would now be supported if STRICT_NAMING is set to "netscape" but would remain disallowed in "rfc2109" or "rfc6265" modes. If allowed, the Set-Cookie header would contain just the value (no '=' present and an IAE if value contained an '=') and any such cookie found during parsing would be included in the result of HttpServletRequest#getCookies(). - A candidate patch for these Cxx changes can be found here: - http://people.apache.org/~jboynes/patches/cookie.patch - This follows proposal C1 with the consequence that a "/" is not allowed in a cookie name by default; to allow that STRICT_NAMING must be set to false (i.e. to "netscape" mode). The test suite changes are a result of that and with them in place I have verified it still passes. - === Changes to generation of Set-Cookie header === G1 Use RFC6265 format header for V0 cookies:: :: When version == 0 always generate a RFC6265 header, raising an exception from addCookie if the value is invalid rather than attempting to upgrade to a RFC2109 header to use quoting. Application impact is that they will now fail fast with an error rather than inconsistent data as described in Bug 55920; applications that do not set invalid values will not be impacted. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
