Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-1834

Invalid Cookie Names for persistence used according to RFC (doesn't work in tomcat 6.x)

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.4-M3
    • Fix Version/s: 1.3.5, 1.4-RC1
    • Component/s: wicket
    • Labels:
      None

      Description

      Wicket uses ":" to build up the cookie name out of different components (e.g."signInPanel:signInForm:username"). This violates the cookie spec (RFC 2965 and RFC 2616). According to this spec a cookie must be an av-pair

      av-pairs = av-pair *(";" av-pair)
      av-pair = attr ["=" value] ; optional value
      attr = token
      value = token | quoted-string

      and token is:

      token = 1*<any CHAR except CTLs or separators>
      separators = "(" | ")" | "<" | ">" | "@"

      "," ";" ":" "\" <">
      "/" "[" | "]" "?" "="
      " {" | "}

      "

      SP HT

      Note that the cookie name MUST be a token and a token MUST NOT contain ":"

      That's why tomcat 6.x delivers (correctly with best guess) "signInPanel" as cookie name for the above example.

        Attachments

          Activity

            People

            • Assignee:
              dashorst Martijn Dashorst
              Reporter:
              thecoolace Bla Bla
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: