Cookies
Parsing the Cookie header by Tomcat
Issue |
Current behaviour (8.0.0-RC10/7.0.50) |
Proposed new behaviour |
Servlet + Netscape + RFC2109 |
Servlet + RFC 6265 |
0x80 to 0xFF in cookie value (Bug 55917) |
IAE |
TBD |
Netscape yes. RFC2109 requires quotes. |
RFC 6265 never allowed. |
CTL allowed in quoted cookie values (Bug 55918) |
Allowed |
TBD |
Not allowed. |
Not allowed. |
Quoted values in V0 cookies (Bug 55920) |
Quotes removed. |
TBD |
Netscape - quotes are part of value. |
Quotes are not part of value. |
Raw JSON in cookie values (Bug 55921) |
TBD |
TBD |
TBD |
TBD |
Allow equals in value |
Not by default. Allowed if property set. |
TBD |
Netscape is ambiguous. RFC2109 requires quoting. |
Allowed. |
Allow separators in V0 names and values |
Not by default. Allowed if property set. |
TBD |
Yes except semi-colon, comma and whitespace. |
Never in names. Yes in values except semi-colon, comma and whitespace, double-quote and backslash. |
Always add expires |
Enabled by default. Disabled by property. |
TBD |
Netsacpe uses expires. RFC2109 uses Max-Age. |
Allows either, none or both. |
/ is separator |
Enabled by default. Disabled by property. |
TBD |
Netscape allowed in names and values. RFC2109 allowed in values if quoted. |
Allowed in values. |
Strict naming (as per Servlet spec) |
Enabled by default. Disabled by property. |
TBD |
Netscape allows names the Servlet spec does not. RFC2109 is consistent with the Servlet spec. |
Consistent with the Servlet spec. |
Allow name only |
Disabled by default. Enabled by property. |
TBD |
Netscape allowed and equals sign expected before empty value. RFC2109 not allowed. |
Allowed but equals sign required before empty value. |
Issues to add to the table above
- Any further issues raised on mailing lists
Generating the Set-Cookie header by Tomcat
Requirements as defined by the specifications
Requirement |
Servlet |
Netscape |
RFC2109 |
RFC6265 |
|
Format of name |
Must conform to RFC2109. Vendors may provide option to allow Netscape format |
A sequence of characters excluding semi-colon, comma and white space. Browsers generally stop at first equals, |
token |
token |
|
Format of value |
The value can be anything the server chooses to send. With Version 0 cookies, values should not contain white space, brackets, parentheses, equals signs, commas, double quotes, slashes, question marks, at signs, colons, and semicolons. Empty values may not behave the same way on all browsers. |
This string is a sequence of characters excluding semi-colon, comma and white space. |
token |
quoted-string |
cookie-value |
Domain |
String, per RFC2109 |
domain=DOMAIN_NAME |
"Domain" "=" value |
"Domain=" domain-value |
|
Path |
String, per RFC2109 |
path=PATH |
"Path" "=" value |
"Path=" path-value |
|
Secure |
boolean |
secure |
"Secure" |
"Secure" |
|
HttpOnly |
boolean |
N/A |
N/A |
"HttpOnly" |
|
Expires |
N/A |
expires=DATE as "Wdy, DD-Mon-YYYY HH:MM:SS GMT" |
N/A |
"Expires=" sane-cookie-date |
|
Max-Age |
int in seconds |
N/A |
"Max-Age" "=" value |
"Max-Age=" non-zero-digit *DIGIT |
|
Comment |
String |
N/A |
"Comment" "=" value |
allowed by extension |
|
Version |
int (0 or 1) |
N/A |
"Version" "=" 1*DIGIT |
allowed by extension |
|
Extension |
N/A |
N/A |
N/A |
any CHAR except CTLs or ";" |
Current Implementation
Cookie
The constructor of javax.servlet.http.Cookie will throw an IllegalArgumentException if any of the following conditions are met:
- name is null or zero length
- if name is not a token
- if name equalsIgnoreCase any of "Comment" "Discard" "Domain" "Expires" "Max-Age" "Path" "Secure" "Version"
- if name startsWith "$"
By default, a token comprises characters 0x21..0x7E except comma, semicolon and space. If STRICT_NAMING is true, then token also excludes characters from "()<>@,;:\\\"[]?={} \t" which corresponds to RFC2616 separators without "/" (i.e. "/" is allowed); if FWD_SLASH_IS_SEPARATOR is true than "/" is also excluded. These properties will default to true if STRICT_SERVLET_COMPLIANCE is true.
Issues
- *
- *
No checks are made in any of the other setters.
The domain value is converted to lower case (per Locale.ENGLISH) when set as "IE allegedly needs this."
HttpServletRequest
TODO: document this
Proposed Implementation
TBD
RFC2616 definitions
token = 1*<any CHAR except CTLs or separators> separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT CHAR = <any US-ASCII character (octets 0 - 127)> CTL = <any US-ASCII control character (octets 0 - 31) and DEL (127)> quoted-string = ( <"> *(qdtext | quoted-pair ) <"> ) qdtext = <any TEXT except <">> quoted-pair = "\" CHAR TEXT = <any OCTET except CTLs, but including LWS> rfc1123-date = wkday "," SP date1 SP time SP "GMT"
RFC6265 definitions
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E domain-value = <subdomain> ; defined in [RFC1034], Section 3.5, as enhanced by [RFC1123], Section 2.1 path-value = <any CHAR except CTLs or ";"> sane-cookie-date = <rfc1123-date, defined in [RFC2616], Section 3.3.1>