...
Requirement | Servlet | Netscape | RFC2109 | RFC6265 | |
Format of name | Must conform to RFC2109. Vendors may provide option to allow Netscape format | A sequence of characters excluding semi-colon, comma and white space. Browsers generally stop at first equals, | token | token | |
Format of value | The value can be anything the server chooses to send. With Version 0 cookies, values should not contain white space, brackets, parentheses, equals signs, commas, double quotes, slashes, question marks, at signs, colons, and semicolons. Empty values may not behave the same way on all browsers. | This string is a sequence of characters excluding semi-colon, comma and white space. | token | quoted-string | cookie-value |
Domain | String, per RFC2109 | domain=DOMAIN_NAME | "Domain" "=" value | "Domain=" domain-value | |
Path | String, per RFC2109 | path=PATH | "Path" "=" value | "Path=" path-value | |
Secure | boolean | secure | "Secure" | "Secure" | |
HttpOnly | boolean | N/A | N/A | "HttpOnly" | |
Expires | N/A | expires=DATE as "Wdy, DD-Mon-YYYY HH:MM:SS GMT" | N/A | "Expires=" sane-cookie-date | |
Max-Age | int in seconds | N/A | "Max-Age" "=" value | "Max-Age=" non-zero-digit *DIGIT | |
Comment | String | N/A | "Comment" "=" value | allowed by extension | |
Version | int (0 or 1) | N/A | "Version" "=" 1*DIGIT | allowed by extension | |
Extension | N/A | N/A | N/A | any CHAR except CTLs or ";" |
Current Implementation
Cookie
The constructor of javax.servlet.http.Cookie will throw an IllegalArgumentException if any of the following conditions are met:
- name is null or zero length
- if name is not a token
- if name equalsIgnoreCase any of "Comment" "Discard" "Domain" "Expires" "Max-Age" "Path" "Secure" "Version"
- if name startsWith "$"
Wiki Markup |
---|
By default, a token comprises characters 0x21..0x7E except comma, semicolon and space. If STRICT_NAMING is true, then token also excludes characters from "()<>@,;:\\\"\[\]?=\{\} \t" which corresponds to RFC2616 separators without "/" (i.e. "/" is allowed); if FWD_SLASH_IS_SEPARATOR is true than "/" is also excluded. These properties will default to true if STRICT_SERVLET_COMPLIANCE is true. |
Issues
indent |
---|
- *
indent |
---|
the "HttpOnly" attribute is not covered by the check
|
- *
indent |
---|
by default, a "=" character is allowed in a name (browsers treat the name as everything up to the first equals)
|
No checks are made in any of the other setters.
The domain value is converted to lower case (per Locale.ENGLISH) when set as "IE allegedly needs this."
HttpServletRequest
TODO: document thisTODO: write up
Proposed Implementation
TBD
...