Cookies
Parsing the Cookie header by Tomcat
Issue |
Current behaviour (8.0.0-RC10/7.0.50) |
Proposed new behaviour |
Servlet + Netscape + RFC2109 |
Servlet + RFC 6265 |
0x80 to 0xFF in cookie value (Bug 55917) |
IAE |
TBD |
Netscape yes. RFC2109 requires quotes. |
RFC 6265 never allowed |
CTL allowed in quoted cookie values (Bug 55918) |
Allowed |
TBD |
Not allowed. |
Not allowed. |
Quoted values in V0 cookies (Bug 55920) |
Quotes removed |
TBD |
TBD |
TBD |
Raw JSON in cookie values (Bug 55921) |
TBD |
TBD |
TBD |
TBD |
Allow equals in value |
Not by default. Allowed if property set. |
TBD |
Netscape is ambiguous. RFC2109 requires quoting. |
TBD |
Allow separators in V0 names and values |
Not by default. Allowed if property set. |
TBD |
TBD |
TBD |
Always add expires |
Enabled by default. Disabled by property. |
TBD |
TBD |
TBD |
/ is separator |
Enabled by default. Disabled by property. |
TBD |
TBD |
TBD |
Strict naming |
Enabled by default. Disabled by property. |
TBD |
TBD |
TBD |
Allow name only |
Disabled by default. Enabled by property. |
TBD |
TBD |
TBD |
Issues to add to the table above
- Any further issues raised on mailing lists
Generating the Set-Cookie header by Tomcat
TODO: Need to define behaviour for each of the issues above.