Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1095

Add optional support for RFC6265 compliant cookie validation

    XMLWordPrintable

Details

    Description

      Undertow does not conform to Set-Cookie syntax defined in the cookie specification.

      RFC6265 (Section 4.1 Set-Cookie) states that Servers SHOULD NOT send Set-Cookie headers that fail to conform the defined grammer. For example, cookie value should be US-ASCII characters excluding CTLs, whitespace, double quote, comma, semicolon, and backslash.

      However, undertow does not restrict the invalid characters. For example, when accessing the following JSP which add one of invalid characters (whitespace) to cookie value:

      <%
    Cookie c = new Cookie("example","example cookie");
    response.addCookie(c);
%>

      undertow responds with the following Set-Cookie format but this is not correct Set-Cookie header in RFC6265:

      Set-Cookie: example=example cookie

      Note: The previous cookie specifications (RFC2109 and RFC2965) allow some characters in cookie value when the cookie value are quoted. (i.e. Set-Cookie: example="example cookie" was allowed in the old specifications.) EAP 6/JBossWeb (and Tomcat 6.0/7.0/8.0) conform to this old specification and it will automatically quotes a cookie value (also path and domain) when the value contains any seprarator characters which should be quoted.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11442 [GSS](7.0.z) RFC6265 compliant cookie validation

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) JBEAP-11443 [GSS](7.1.0) Add optional support for RFC6265 compliant cookie validation

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11444 [GSS](7.1.0) Add correct quoting to the cookie for a backward compatible behavior to EAP 6 (JBossWeb)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-1096 Add correct quoting to the cookie for a backward compatible behavior to EAP 6 (JBossWeb)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              sdouglas1@redhat.com Stuart Douglas
              rhn-support-mmiura Masafumi Miura
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: