Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11442

[GSS](7.0.z) RFC6265 compliant cookie validation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.0.8.CR1, 7.0.8.GA
    • 7.0.5.GA
    • Undertow
    • None
    • EAP 7.0.8

      Undertow does not conform to Set-Cookie syntax defined in the cookie specification.

      RFC6265 (Section 4.1 Set-Cookie) states that Servers SHOULD NOT send Set-Cookie headers that fail to conform the defined grammer. For example, cookie value should be US-ASCII characters excluding CTLs, whitespace, double quote, comma, semicolon, and backslash.

      However, undertow does not restrict the invalid characters. For example, when accessing the following JSP which add one of invalid characters (whitespace) to cookie value:

      <%
          Cookie c = new Cookie("example","example cookie");
          response.addCookie(c);
      %>
      

      undertow responds with the following Set-Cookie format but this is not correct Set-Cookie header in RFC6265:

      Set-Cookie: example=example cookie
      

      Note: The previous cookie specifications (RFC2109 and RFC2965) allow some characters in cookie value when the cookie value are quoted. (i.e. Set-Cookie: example="example cookie" was allowed in the old specifications.) EAP 6/JBossWeb (and Tomcat 6.0/7.0/8.0) conform to this old specification and it will automatically quotes a cookie value (also path and domain) when the value contains any seprarator characters which should be quoted.

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              rhn-support-mmiura Masafumi Miura
              Michael Cada Michael Cada
              Michael Cada Michael Cada
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: