Versions Compared

Old Version 27

changes.mady.by.user Mark Thomas

Saved on

compared with

New Version 28

changes.mady.by.user Jeremy Boynes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Promote P3a to new change P4 ensuring the original header value is always accessible to the application

...

indent
Invalid syntax will result in a user-data log entry and cookies being dropped rather than throwing of an IAE. Application impact is that requests with an invalid Cookie header will now be dispatched to the application.
  • *
indent

*Alternative P3a:* Ensure that the "Dropping a cookie" means an invalid cookie headerwill isnot availableappear forin the list returned by [HttpServletRequest]#getCookies(). An application will still be able to parse manually access the original Cookie header and may perform its own parsing.

P4 Ensure that the cookie header is always available for the application to parse manually.::

  • *
indent

Stop modifying the header in-situ as part of the de-escaping process so that an application can elect to perform its own parsing by calling getHeader("Cookie"). Eliminate the need for the PRESERVE_COOKIE_HEADER property that currently controls whether a copy of the header is made if modifications are needed. Perform de-escaping during the copy needed to convert the [MessageBytes] to the String in Cookie#value, possibly during any conversation process needed to handle UTF-8.

Impact of proposal on existing issues

...