Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Won't Fix
-
1.4.4
-
None
-
None
Description
Cookies with special symbols in its values aren't properly saved and as result of it aren't properly loaded.
The real example is usage of email name as a login in a login form with "remember me" feature.
The problem is that email name contains '@' symbol which is inside "tspecials" set according to rfc2068 (2.2), and so can't be used in cookie value.
The possible solution to this issue is to use "quoted-string" instead of "token", as described in rfc2109 (4.1).
To workaround this problem I override getValuePersister class of a Form class:
@Override
protected IValuePersister getValuePersister() {
return new CookieValuePersister() {
@Override
public void save(String key, String value)
};
}
Without this workaround loaded value is just "username" instead of "username@domain.name".
I believe the proper place to fix it in a Cookie class, but probably there are some historical reasons to don't follow RFC.
E.g. in a jetty servlet-api-2.5-6.1.9 you can see following code:
// Note – disabled for now to allow full Netscape compatibility
// from RFC 2068, token special case characters
//
// private static final String tspecials = "()<>@,;:\\\"/[]?={} \t";
private static final String tspecials = ",; ";
But issue exists in tomcat implementation of servlet-api too and also depends on browser.
So I suggest to add workaround in wicket. Probably we should add quotes only if tspecials are contained inside cookie value, but in my workaround I don't care about two extra chars and also don't check whether value is already quoted.
Attachments
Issue Links
- duplicates
-
-
- Resolved
-