Some 3P websites appear to set cookie values using unencoded JSON data; as an example, the fsr.s cookie set by a certain tracking site. This is invalid per all cookie specifications due to the use of unescaped "," characters in the data. When parsing these values, Tomcat treats the data as a token, determines it is invalid due to the presence of a "{" character, and attempts to skip to the next token. However, it determines this boundary by the presence of the "," character in the middle of the JSON blob and then proceeds to parse the next cookie starting in the middle of this data. This may result in erroneous cookies being added. RFC6265 requires and Netscape suggests that cookie-pairs be separated by the sequence ";" SP so rather than looking for a single separator character the recovery mechanism could look for one followed by a SP. However, this would not recover if the JSON data contained SP characters as JSON permits. Alternatively, we could assume that a value starting with "{" was JSON encoded data and parse the value as such. This would be gated by a configuration option.
I'm pretty sure that an otherwise unencoded JSON value should be quoted when used in an HTTP header value. Tomcat might handle these cases in a more elegant way (e.g. not choking on the 'stray" comma), but I don't think Tomcat should go out of its way to read these kinds of cookies.
The new RFC6265 cookie parser (that also includes a new RFC2109 parser) correctly handles these values. I don't propose fixing the old parser.