Cookies
Round Trip Behaviour
The following tables document how a value is sent in a Set-Cookie header, what gets stored by a typical browser, the Cookie header that is generated by the browser and then the final value returned to a Servlet application.
The browser tested here is Chrome-31
Default Configuration (no properties set)
Implementation Progress
I started work on this in a local branch. Patches for the changes made there can be found here:
http://people.apache.org/~jboynes/patches/
There is substantial refactoring in there to simply the current implementation. Actual changes are:
- C3 '=' is now disallowed in Netscape cookie names (it was already not allowed in RFC2109 names)
- C4 Attribute names are allowed as cookies names
- Cookie names starting with '$' are allowed in Netscape and RFC6265 mode and will still throw an IAE in RFC2109 mode
Round Trip Behaviour
The following tables document how a value is sent in a Set-Cookie header, what gets stored by a typical browser, the Cookie header that is generated by the browser and then the final value returned to a Servlet application.
The browser tested here is Chrome-31
Default Configuration (no properties set)
| Generation |
| Browser Value |
| Generation |
| Browser Value | Parsing |
|
Version | Value | Set-Cookie Header | Cookie Header | Resulting Value | |||||
0 | bar | test=bar | bar | test=bar | bar | ||||
0 | "bar" | test="bar" | "bar" | test="bar" | bar | ||||
0 | "" | test="" | "" | test="" | emptyString | ||||
0 | a"b | test="a\"b"; Version=1 | "a\"b" | test="a\"b" | a"b | ||||
0 | a\b | test="a\b"; Version=1 | "a\b" | test="a\b" | ab | ||||
0 | a?b | test="a?b"; Version=1 | "a?b" | test="a?b" | a?b | ||||
1 | bar | test=bar; Version=1 | bar | test=bar | bar |
...
indent |
---|
Allow cookies whose name is null or the empty string. Browsers will store a single cookie that has no name whose value is sent as simply «value» (i.e. without any '=' delimiter). This would now be supported if STRICT_NAMING is set to "netscape" but would remain disallowed in "rfc2109" or "rfc6265" modes. If allowed, the Set-Cookie header would contain just the value (no '=' present and an IAE if value contained an '=') and any such cookie found during parsing would be included in the result of [HttpServletRequest]#getCookies(). |
...
Changes to generation of Set-Cookie header
...