Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

tomcat cookie domain validation

Tags:

cookies

tomcat

I'm using tomcat 8.0.21 with the new Rfc6265 cookie processor. If there are cookies starting with a dot I'm getting the following error:

java.lang.IllegalArgumentException: An invalid domain [.db-app.de] was specified for this cookie
org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:180)
org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:122)
org.apache.catalina.connector.Response.generateCookieString(Response.java:959)
org.apache.catalina.connector.Response.addCookie(Response.java:907)
org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:392)
org.esigate.servlet.impl.ResponseSender.sendResponse(ResponseSender.java:70)
com.bahn.esiExtensions.ExtendedProxyServlet.doFilter(ExtendedProxyServlet.java:104)

Is there a way to prevent tomcat from throwing this error?

like image 289
heinzwilli Avatar asked Apr 13 '15 14:04

heinzwilli


3 Answers

I'm using a new version of Tomcat 8 (from this last October) and after add the line to force use the legacy cookie processor, it works fine. On your ${catalina.base}conf/context.xml:

<Context>

<!-- Default set of monitored resources. If one of these changes, the    -->
<!-- web application will be reloaded.                                   -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!--
<Manager pathname="" />
-->

<!-- Force use the old Cookie processor (because this new tomcat version uses RFC6265 Cookie Specification) -->
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />

I hope this may be your case. Just set this CookieProcessor, and your implementation will be working as was in previous versions of Tomcat 8.

like image 122
Mr. Anderson Avatar answered Nov 18 '22 19:11

Mr. Anderson


With the new cookie processor on Tomcat 8, your cookie domain must start with a number or a letter. Removing the leading dot should get rid of this error.

Try changing it to dot.db-app.de instead, or give it a new name entirely.

like image 41
user1639616 Avatar answered Nov 18 '22 20:11

user1639616


You can revert Tomcat's behaviour by defining the legacy cookie processor in your context.xml file.

See Apache Tomcat 8 Configuration Reference: The Cookie Processor Component

like image 2
Paul Podgorsek Avatar answered Nov 18 '22 21:11

Paul Podgorsek