STRICT_SERVLET_COMPLIANCE #

When STRICT_SERVLET_COMPLIANCE is set to true, the value of FWD_SLASH_IS_SEPARATOR will be also set to true (and values of some other properties).

If this is true then the / (forward slash) character will be treated as a separator. Note that this character is frequently used in cookie path attributes and some browsers will fail to process a cookie if the path attribute is quoted as is required by a strict adherence to the specifications. This is highly likely to break session tracking using cookies.

To summarize the above, what's happening is the cookie's Path value is being enclosed in quotes when FWD_SLASH_IS_SEPARATOR is true. Browsers don't expect this and thus when the browser receives a cookie it doesn't send that cookie back on subsequent requests because the browser doesn't think the cookie's Path value matches the user's path. Essentially cookie-based sessions are broken in major browsers and curl unless -Dorg.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false is passed on boot.

Ive tested this with all browsers and it seems only Opera understands this feature correctly.

0 Attachments
13753 Views
Average (0 Votes)
The average rating is 0.0 stars out of 5.
Comments