Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-1834

Invalid Cookie Names for persistence used according to RFC (doesn't work in tomcat 6.x)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.4-M3
    • 1.3.5, 1.4-RC1
    • wicket
    • None

    Description

      Wicket uses ":" to build up the cookie name out of different components (e.g."signInPanel:signInForm:username"). This violates the cookie spec (RFC 2965 and RFC 2616). According to this spec a cookie must be an av-pair

      av-pairs = av-pair *(";" av-pair)
      av-pair = attr ["=" value] ; optional value
      attr = token
      value = token | quoted-string

      and token is:

      token = 1*<any CHAR except CTLs or separators>
      separators = "(" | ")" | "<" | ">" | "@"

      "," ";" ":" "\" <">
      "/" "[" | "]" "?" "="
      " {" | "}

      "

      SP HT

      Note that the cookie name MUST be a token and a token MUST NOT contain ":"

      That's why tomcat 6.x delivers (correctly with best guess) "signInPanel" as cookie name for the above example.

      Attachments

        Activity

          People

            dashorst Martijn Dashorst
            thecoolace Bla Bla
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: