Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookies containing char '?' are not received correctly on Tomcat 7 #9

Open
MatthiasWinzeler opened this issue Aug 19, 2015 · 2 comments
Open

Cookies containing char '?' are not received correctly on Tomcat 7 #9

MatthiasWinzeler opened this issue Aug 19, 2015 · 2 comments

Comments

@MatthiasWinzeler
Copy link

MatthiasWinzeler commented Aug 19, 2015
edited by knu

I'm using mechanize for some automation purposes and noticed that a Cookie value is not correctly received on Tomcat 7.

Mechanize sends:

Cookie: COOKIE_NAME=/context/UI/Login?xyz=abcd

Tomcat 7 treats ? as a cookie separator while parsing and thus only receives COOKIE_NAME => /context/UI/Login.

Current browsers treat ? also as separator and send the cookie value quoted:

COOKIE_NAME="/context/UI/Login?xyz=abcd"

Mechanize/http-cookie only treats some control characters and ,;\ as delimiters to determine whether cookie values should be quoted:

http-cookie/lib/http/cookie/scanner.rb

Line 13 in 405a48b

RE_BAD_CHAR = /([\x00-\x20\x7F",;\\])/

It seems the cookie handling is a complex topic and the delimiters are not clearly specified. When I look at Tomcat's cookie source code, they have different scenarios where they treat even more characters as delimiters (i.e. all HTTP RFC2616 token delimiters, which would include ?/(){} etc.)

I suggest we add these token delimiters in the RE_BAD_CHAR regexp so containing strings get quoted; I think it won't break things if we foresightfully add some more quotes (I don't see a case where additional quotes would cause a problem).

For now, I'm monkey patching the cookie library to work around this:

require 'mechanize'

HTTP::Cookie::Scanner::RE_BAD_CHAR = /([\x00-\x20\x7F",;\\\?])/

Thanks for your great work!
@lacostej lacostej mentioned this issue Apr 2, 2016
Merged
@lacostej
Copy link

lacostej commented Apr 2, 2016

For reference, the URL CookieSupport.java code in latest tomcat is

@knu
Copy link
Member

knu commented Dec 9, 2016

I couldn't confirm the part about how browsers quote cookie values. As far as I could observe, if I set a cookie foo=bar?baz in Chrome and Firefox (both are the latest stable versions) they would send Cookie: foo=bar?baz; other_cookies.... There were no double quotes.

If I fed them foo="bar?baz" they'd send Cookie: foo="bar?baz"; other_cookies..., and if I fed them foo="bar; baz" then Cookie: foo="bar; other_cookies.... So, I could only conclude that they don't support double quotes at all. (!)

So, my question here is, doesn't the server actually send a Set-Cookie header with the value double-quoted? If that's the case, I guess the problem is in the parser that unquotes the double quoted value, not in the serializer to compose a Cookie header value.

@knu knu mentioned this issue Dec 9, 2016
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@knu @lacostej @MatthiasWinzeler