...
Parsing the Cookie header by Tomcat
The various specifications define the following formats for the Cookie header sent by the user-agent:
Specification | Format of Cookie header | |
Netscape |
| |
RFC2109 | {{"Cookie:" "$Version" "=" value 1*((";" | ",") cookie-value)}} |
RFC6265 |
|
Chrome-31, Firefox-26, Firefox Aurora-28, Internet Explorer-11 and Safari-7.01 all send a single header in Netscape/RFC6265 format with name=value pairs separated by semicolon and space. The name and value correspond to whatever was stored in the browser when the "Set-Cookie" header was parsed. These may contain commas, spaces, other separators or 8-bit characters.
None of them add any of the "$" attributes ("$Version" "$Domain" or "$Path) from RFC2109 and specifically do not send the leading "$Version" attribute that is part of that specification's syntax. All except Safari support a unnamed "value-only" cookie that is sent as is (without a name or "="); i.e. a unnamed cookie with value "foo" (including quotes) is sent as the line:
No Format |
---|
Cookie: "foo"
|
When set through JavaScript, any Unicode codepoints in the text are encoded as UTF-8 in the header. For example, in Chrome the statement document.cookie = "foo=b\u00e1r";
will result in a header containing the octets
No Format |
---|
43 6f 6f 6b 69 65 3a 20 66 6f 6f 3d 62 c3 a1 72
|
showing codepoint U+00E1 being converted to its UTF-8 equivalent 0xC3 0xA1. This matches the behaviour defined by HTML5.
Issue | Current behaviour (8.0.0-RC10/7.0.50) | Proposed new behaviour | Servlet + Netscape + RFC2109 | Servlet + RFC 6265 |
0x80 to 0xFF in cookie value (Bug 55917) | IAE | TBD | Netscape yes. RFC2109 requires quotes. | RFC 6265 never allowed. |
CTL allowed in quoted cookie values (Bug 55918) | Allowed | TBD | Not allowed. | Not allowed. |
Quoted values in V0 cookies (Bug 55920) | Quotes removed. | TBD | Netscape - quotes are part of value. | Quotes are not part of value. |
Raw JSON in cookie values (Bug 55921) | TBD | TBD | TBD | TBD |
Allow equals in value | Not by default. Allowed if property set. | TBD | Netscape is ambiguous. RFC2109 requires quoting. | Allowed. |
Allow separators in V0 names and values | Not by default. Allowed if property set. | TBD | Yes except semi-colon, comma and whitespace. | Never in names. Yes in values except semi-colon, comma and whitespace, double-quote and backslash. |
Always add expires | Enabled by default. Disabled by property. | TBD | Netsacpe uses expires. RFC2109 uses Max-Age. | Allows either, none or both. |
/ is separator | Enabled by default. Disabled by property. | TBD | Netscape allowed in names and values. RFC2109 allowed in values if quoted. | Allowed in values. |
Strict naming (as per Servlet spec) | Enabled by default. Disabled by property. | TBD | Netscape allows names the Servlet spec does not. RFC2109 is consistent with the Servlet spec. | Consistent with the Servlet spec. |
Allow name only | Disabled by default. Enabled by property. | TBD | Netscape allowed and equals sign expected before empty value. RFC2109 not allowed. | Allowed but equals sign required before empty value. |
...
No Format |
---|
token = 1*<any CHAR except CTLs or separators> separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT CHAR = <any US-ASCII character (octets 0 - 127)> CTL = <any US-ASCII control character (octets 0 - 31) and DEL (127)> quoted-string = ( <"> *(qdtext | quoted-pair ) <"> ) qdtext = <any TEXT except <">> quoted-pair = "\" CHAR TEXT = <any OCTET except CTLs, but including LWS> rfc1123-date = wkday "," SP date1 SP time SP "GMT" |
RFC2109 definitions
No Format |
---|
cookie-value = NAME "=" VALUE [";" path] [";" domain]
|
RFC6265 definitions
No Format |
---|
cookie-pair = cookie-name "=" cookie-value
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
domain-value = <subdomain> ; defined in [RFC1034], Section 3.5, as enhanced by [RFC1123], Section 2.1
path-value = <any CHAR except CTLs or ";">
sane-cookie-date = <rfc1123-date, defined in [RFC2616], Section 3.3.1>
|
...