-
Enhancement
-
Resolution: Done
-
Blocker
-
None
Undertow does not conform to Set-Cookie syntax defined in the cookie specification.
RFC6265 (Section 4.1 Set-Cookie) states that Servers SHOULD NOT send Set-Cookie headers that fail to conform the defined grammer. For example, cookie value should be US-ASCII characters excluding CTLs, whitespace, double quote, comma, semicolon, and backslash.
However, undertow does not restrict the invalid characters. For example, when accessing the following JSP which add one of invalid characters (whitespace) to cookie value:
<% Cookie c = new Cookie("example","example cookie"); response.addCookie(c); %>
undertow responds with the following Set-Cookie format but this is not correct Set-Cookie header in RFC6265:
Set-Cookie: example=example cookie
Note: The previous cookie specifications (RFC2109 and RFC2965) allow some characters in cookie value when the cookie value are quoted. (i.e. Set-Cookie: example="example cookie" was allowed in the old specifications.) EAP 6/JBossWeb (and Tomcat 6.0/7.0/8.0) conform to this old specification and it will automatically quotes a cookie value (also path and domain) when the value contains any seprarator characters which should be quoted.
- clones
-
JBEAP-11443 [GSS](7.1.0) Add optional support for RFC6265 compliant cookie validation
- Closed