Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-1834

Invalid Cookie Names for persistence used according to RFC (doesn't work in tomcat 6.x)

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.4-M3
    • 1.3.5, 1.4-RC1
    • wicket
    • None

    Description

      Wicket uses ":" to build up the cookie name out of different components (e.g."signInPanel:signInForm:username"). This violates the cookie spec (RFC 2965 and RFC 2616). According to this spec a cookie must be an av-pair

      av-pairs = av-pair *(";" av-pair)
      av-pair = attr ["=" value] ; optional value
      attr = token
      value = token | quoted-string

      and token is:

      token = 1*<any CHAR except CTLs or separators>
      separators = "(" | ")" | "<" | ">" | "@"

      "," ";" ":" "\" <">
      "/" "[" | "]" "?" "="
      " {" | "}

      "

      SP HT

      Note that the cookie name MUST be a token and a token MUST NOT contain ":"

      That's why tomcat 6.x delivers (correctly with best guess) "signInPanel" as cookie name for the above example.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            dashorst Martijn Dashorst
            thecoolace Bla Bla
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment