[SERVLET_SPEC-37] Update Cookie class and other specifications for RFC 6265 Created: 29/Mar/12 Updated: 06/Dec/16
|Reporter:||gregwilkins||Assignee:||Shing Wai Chan|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
Currently the Cookie class defaults to supporting RFC 2019 cookies.
The latest RFC appears to be well supported by browsers (eg Google cookies often contain commas which are not allowed by 2019, but are by 6265).
|Comment by gregwilkins [ 29/Mar/12 ]|
Actually my example of a , in the cookie value is wrong, as although google appears do be doing that, it is not allowed by RFC6265.
|Comment by markt_asf [ 29/Mar/12 ]|
My experience has been that no matter what cookie specification is followed by the container, there will be a client or application that can't handle specification compliant values. We have had to add no end of hacks to Tomcat's cookie handling to allow checks to be bypassed to enable stuff to actually work. For example, anything that requires quoting (such as using commas in values) is often not handled correctly if it is quoted.
There is a clear unwillingness on the part of some browser vendors to adhere to the cookie specifications and no sign of this being a something that causes users to migrate to a more standards compliant browser.
I don't particularly like the situation that has lead to RFC 6265 (I would have preferred to see user demand driving browser compliance but that hasn't happened) but RFC 6265 is probably the best option since it is closer to what is actually happening than anything else. That said, I suspect container vendors will still need to add additional options to bypass some checks.
|Comment by Shing Wai Chan [ 22/Feb/13 ]|
Adding it to the bucket of FUTURE_RELEASE
|Comment by markt_asf [ 06/Sep/16 ]|
Ping. This really needs to get into Servlet 4.0
|Comment by christopherschultz [ 08/Sep/16 ]|
+1 for updating and clarifying the spec. If Servlet 4.0 still contains a requirement to support RFC2019 (and nothing more recent), then the Java ecosystem will continue to suffer this confusion for another few years.