Subject: Re: Cookie value with equal sign getting truncated - msg#00304List: users-tomcat.apache.org> It seems, that Tomcat doesn't allow a "= " sign in the cookie value. It is the cookie specs that doesn't allow unquoted '=' and Tomcat got stricter about enforcing the specs as a result of a couple of security vulnerabilities. > If there is a "=" it put the value into "" -signs. Yep - as per the spec. Values that contain '=' have to be v1 cookies and have to be quoted. > This problem occurs with Tomcat 6.0.18. The cookie changes started in 6.0.14 and caused various regressions. The 6.0.18+ behaviour (ie the auto switching to v1 cookies) was added to help those apps that used '=' in the value and couldn't easily fix this themselves. > Are there a workarounds available to disable this behavior? Your options are: 1) Have v0 cookies with '=' treated as invalid (use STRICT_SERVLET_COMPILANCE) 2) Have Tomcat automatically switch the cookie to v1 and add the quotes (the default) 3) Don't use '=' in cookie values (ie change your app) Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxxx
Thread at a glance:
Previous Message by Date: (click to view message preview)Cookie value with equal sign getting truncatedIt seems, that Tomcat doesn't allow a "= " sign in the cookie value. If there is a "=" it put the value into "" -signs. This problem occurs with Tomcat 6.0.18. Are there a workarounds available to disable this behavior? regards, Joerg *** DEPARTMENT DISCLAIMER *** Next Message by Date: click to view message previewRe: Cookie value with equal sign getting truncatedHi Mark, thanks for the quick reply. How can i realize option 1? How can i configure STRICT_SERVLET_COMPILANCE? thanks, Joerg Mark Thomas <markt@xxxxxxxxxx> 07.09.2009 15:17 Please respond to "Tomcat Users List" <users@xxxxxxxxxxxxxxxxx> To Tomcat Users List <users@xxxxxxxxxxxxxxxxx> cc Subject Re: Cookie value with equal sign getting truncated Joerg Schaefer wrote: > It seems, that Tomcat doesn't allow a "= " sign in the cookie value. It is the cookie specs that doesn't allow unquoted '=' and Tomcat got stricter about enforcing the specs as a result of a couple of security vulnerabilities. > If there is a "=" it put the value into "" -signs. Yep - as per the spec. Values that contain '=' have to be v1 cookies and have to be quoted. > This problem occurs with Tomcat 6.0.18. The cookie changes started in 6.0.14 and caused various regressions. The 6.0.18+ behaviour (ie the auto switching to v1 cookies) was added to help those apps that used '=' in the value and couldn't easily fix this themselves. > Are there a workarounds available to disable this behavior? Your options are: 1) Have v0 cookies with '=' treated as invalid (use STRICT_SERVLET_COMPILANCE) 2) Have Tomcat automatically switch the cookie to v1 and add the quotes (the default) 3) Don't use '=' in cookie values (ie change your app) Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxxx *** DEPARTMENT DISCLAIMER *** Previous Message by Thread: click to view message previewCookie value with equal sign getting truncatedIt seems, that Tomcat doesn't allow a "= " sign in the cookie value. If there is a "=" it put the value into "" -signs. This problem occurs with Tomcat 6.0.18. Are there a workarounds available to disable this behavior? regards, Joerg *** DEPARTMENT DISCLAIMER *** Next Message by Thread: click to view message previewRe: Cookie value with equal sign getting truncatedHi Mark, thanks for the quick reply. How can i realize option 1? How can i configure STRICT_SERVLET_COMPILANCE? thanks, Joerg Mark Thomas <markt@xxxxxxxxxx> 07.09.2009 15:17 Please respond to "Tomcat Users List" <users@xxxxxxxxxxxxxxxxx> To Tomcat Users List <users@xxxxxxxxxxxxxxxxx> cc Subject Re: Cookie value with equal sign getting truncated Joerg Schaefer wrote: > It seems, that Tomcat doesn't allow a "= " sign in the cookie value. It is the cookie specs that doesn't allow unquoted '=' and Tomcat got stricter about enforcing the specs as a result of a couple of security vulnerabilities. > If there is a "=" it put the value into "" -signs. Yep - as per the spec. Values that contain '=' have to be v1 cookies and have to be quoted. > This problem occurs with Tomcat 6.0.18. The cookie changes started in 6.0.14 and caused various regressions. The 6.0.18+ behaviour (ie the auto switching to v1 cookies) was added to help those apps that used '=' in the value and couldn't easily fix this themselves. > Are there a workarounds available to disable this behavior? Your options are: 1) Have v0 cookies with '=' treated as invalid (use STRICT_SERVLET_COMPILANCE) 2) Have Tomcat automatically switch the cookie to v1 and add the quotes (the default) 3) Don't use '=' in cookie values (ie change your app) Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxxx *** DEPARTMENT DISCLAIMER ***
Web Hosting Reviews from OSDir.com Sister Site iBizWebHosting.com
|
|
