Description
Wicket uses ":" to build up the cookie name out of different components (e.g."signInPanel:signInForm:username"). This violates the cookie spec (RFC 2965 and RFC 2616). According to this spec a cookie must be an av-pair
av-pairs = av-pair *(";" av-pair)
av-pair = attr ["=" value] ; optional value
attr = token
value = token | quoted-string
and token is:
token = 1*<any CHAR except CTLs or separators>
separators = "(" | ")" | "<" | ">" | "@"
"," | ";" | ":" | "\" | <"> |
"/" | "[" | "]" | "?" | "=" | |
"
{" | "}
" |
SP | HT |
Note that the cookie name MUST be a token and a token MUST NOT contain ":"
That's why tomcat 6.x delivers (correctly with best guess) "signInPanel" as cookie name for the above example.