users@grizzly.java.net

JSON data as cookie value

From: Marc Arens <marc.arens_at_open-xchange.com>
Date: Thu, 21 May 2015 23:09:49 +0200 (CEST)

Moin,

web developers seem to get creative these days and start storing
unencoded/stringified JSON data in cookies (see [1] for examples). As commas are
forbidden as part of the cookie value per rfc 6265 [2] AFAIU

cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
; US-ASCII characters excluding CTLs,
; whitespace DQUOTE, comma, semicolon,
; and backslash

this of course causes problems when these cookies reach the grizzly server as
part of a normal request. Grizzly versions from 2.2 to 2.3 split the cookie
values after the ',' which might cause further exceptions and break the complete
request.

e.g.


issue a request like: curl -v --cookie
"name={\"id\":\"5070419\",\"Version\":\"undefined\"}"

Grizzly now turns the JSON into two cookies

Cookie1:
Name: name
Value: {"id":"5070419"


Cookie2:
Name: Version
Value:

If you are now using Servlets within Grizzly this will fail with an
IllegalStateException while trying to create Cookies

Caused by: java.lang.IllegalArgumentException: Cookie name "Version" is a
reserved token
at javax.servlet.http.Cookie.<init>(Cookie.java:150)
at
org.glassfish.grizzly.servlet.HttpServletRequestImpl.getCookies(HttpServletRequestImpl.java:1127)


I compared Grizzly's cookie parsing to Jetty and while Jetty 7 fails in a
slightly different way

Cookie1:
Name: name
Value: {"id":"5070419"


Cookie2:
Name: Version
Value:

Jetty 9 seems to parse the cookie "correctly"

Cookie1:
Name: name
Value: {"id":"5070419","Version":"undefined"}


So my question is: Should Grizzly's cookie parsing be adjusted to behave more
like Jetty although the RFC is pretty clear on this topic? What's your opinion
on this? Maybe dropping malformed cookies while logging an error to simply
defend against bad behaviour would be the way to go?


[1] https://github.com/carhartl/jquery-cookie

[2] http://tools.ietf.org/html/rfc6265#section-4.1.1


...it was evening and it was morning and there were already two ways to store
Unicode...