Hi Jan and Rajiv,
Thanks a lot for the prompt response to this. Really appreciate it.
Anissa.
Jan Luehe wrote:
Ken,
I just sent a heads-up to the Servlet EG (bcc'ing you and Anissa)
mentioning that this particular change will most likely have to be
reverted.
Rajiv and I don't anticipate any objections from the EG.
Therefore, I am going to revert it in time for tomorrow's promoted
build.
Thanks,
Jan
On 11/05/09 18:38, Ken Paulsen wrote:
I read RFC2965 and RFC2616... I agree a "token" is not supposed to have
those characters. This was specified in October 2000 and June 1999
respectively.
However, we've never been compliant and our application and undoubtedly
thousands of others have relied on cookies with illegal names. If we
change this now, we will break frameworks and applications making it
more difficult to move to JavaEE 6. At a minimum I would ask that we
provide a compatibility flag so older applications can continue to run.
Question: besides conforming to a spec which we've never followed in
the past, is there a motivation for this change? Any customers asking
for it? Any technical reason for making this? What is the benefit?
I also believe in following standards as close as possible (to the
letter)... but that ship sailed in 2000. We need further discussion on
this topic.
Thanks,
Ken
Rajiv Mordani wrote:
I would like to make this change as this is the only time we can make
this change until the next release of the spec. It makes the API
compliant with the underlying HTTP specs.
- Rajiv
Jan Luehe wrote:
Hi Ken,
On 11/05/09 17:37, Ken Paulsen wrote:
Hi Jan,
You made a change to Cookie.java which restricted certain characters
from a cookie name:
svn diff -r26092:33813 Cookie.java
- // Note -- disabled for now to allow full Netscape compatibility
- // from RFC 2068, token special case characters
- //
- // private static final String tspecials =
"()<>@,;:\\\"/[]?={} \t";
+ private static final String tspecials = "/()<>@,;:\\\"[]?={}
\t";
- private static final String tspecials = ",; ";
Woodstock uses "/" in one of the cookie they set. This is resulting in
our UI not functioning correctly (P2 issue filed: #10850 which is
blocking testing).
Is this change necessary? If so we're going to have to release a new
version of Woodstock to fix this, which I would really prefer to avoid.
Let me know!
In javax.servlet.http.Cookie, we've expanded the list of "special"
cookie
chars from
private static final String tspecials = ",; ";
to
private static final String tspecials = "/()<>@,;:\\\"[]?={}
\t";
This was requested by the Servlet EG in order to become compliant with
the HTTP 1.1 spec, see Section 2.2 ("Basic Rules") of RFC 2616, which
has the following:
Many HTTP/1.1 header field values consist of words separated by LWS
or special characters. These special characters MUST be in a quoted
string to be used within a parameter value (as defined in section
3.6).
token = 1*<any CHAR except CTLs or separators>
separators = "(" | ")" | "<" | ">" | "@"
| "," | ";" | ":" | "\" | <">
| "/" | "[" | "]" | "?" | "="
| "{" | "}" | SP | HT
See how the new definition of "tspecials" in Cookie.java matches the
definition of "separators" in the HTTP 1.1 spec.
Not sure how to handle this regression ...
Jan
Thanks,
Ken