Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1095

Add optional support for RFC6265 compliant cookie validation

    Details

      Description

      Undertow does not conform to Set-Cookie syntax defined in the cookie specification.

      RFC6265 (Section 4.1 Set-Cookie) states that Servers SHOULD NOT send Set-Cookie headers that fail to conform the defined grammer. For example, cookie value should be US-ASCII characters excluding CTLs, whitespace, double quote, comma, semicolon, and backslash.

      However, undertow does not restrict the invalid characters. For example, when accessing the following JSP which add one of invalid characters (whitespace) to cookie value:

      <%
          Cookie c = new Cookie("example","example cookie");
          response.addCookie(c);
      %>
      

      undertow responds with the following Set-Cookie format but this is not correct Set-Cookie header in RFC6265:

      Set-Cookie: example=example cookie
      

      Note: The previous cookie specifications (RFC2109 and RFC2965) allow some characters in cookie value when the cookie value are quoted. (i.e. Set-Cookie: example="example cookie" was allowed in the old specifications.) EAP 6/JBossWeb (and Tomcat 6.0/7.0/8.0) conform to this old specification and it will automatically quotes a cookie value (also path and domain) when the value contains any seprarator characters which should be quoted.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  swd847 Stuart Douglas
                  Reporter:
                  mmiura Masafumi Miura
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: