Tomcat 6.0.18, Version 1 Cookies, Acegi Remember Me, and IE

I’ve got to write all this out hoping that it’ll bring some clarity to what I’m seeing, here’s the stage:

  • Tomcat 6.0.16 changed the way that cookies are sent from the server to the browser IF the cookie value contained any of the following characters: “()<>@,;:\\\”[]?={} \t”, the change being that if you attempt to set a cookie while inside an application deployed in Tomcat 6.0.16, the cookie value would get wrapped in double quotes and the cookie version would get set to 1. All fine and dandy.
  • Except that as part of the fix, someone decided that the path part of the cookie should also get wrapped in double quotes and IE6 and IE7 don’t like that, in fact they’ll ignore cookies where the value of the path attribute is quoted, which led to this bug getting filed and fixed as part of the 6.0.17 release.

At least they thought it was fixed, here’s what I’m seeing: if you set a cookie that contains any of the above mentioned characters (let’s say that hypothetically you’re using the TokenBasedRememberMeServices class, itself part of Acegi, that sets a cookie whose value is the Base64 encoded representation of your username, an expiration time and another string, long story short the value ends up looking something like this: YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw==) then Tomcat will end up wrapping the cookie value in quotes, will set the Version to 1 and … well, did you know that when you set the version of a cookie to 1 that the cookie looks different? Here’s Tomcat setting the cookie pre-6.0.16:

Set-Cookie: yankeessuck=YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw==; Expires=Thu, 19-Nov-2009 02:29:29 GMT;

and here’s the same cookie being set in 6.0.18:

Set-Cookie: yankeessuck="YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw=="; Version=1; Max-Age=31536000;

See the three changes? The cookie value is quoted, the version attribute was added and … hey, look at that, the expires attribute turned into the max-age attribute. I guess that’s cool right? I mean all browsers should support RFC-2109 (which was published in 1997 and then superseded by RFC-2965), right? Well, it looks like (and this is where I’m hoping someone will prove me wrong) neither IE6, nor IE7, nor Safari honor the max-age attribute which means, drum roll please, you can’t set a persistent cookie on IE6, IE7 or Safari via Tomcat 6.0.18 that contains any of the above mentioned characters. Someone PLEASE prove me wrong.

If I’m right (and this Citrix KB doc seems to back up the IE6 / IE7 behavior I’m seeing), anyone that has deployed an Acegi-based Java web application that uses the default TokenBasedRememberMeServices on the latest version of Tomcat is 100% screwed. I’m not sure who to blame more: IE for being the lamest browser ever (although Safari doesn’t seem to like Max-Age either) or Tomcat for changing (in a pretty big way) the way they publish cookies in a point release.

For more on RFC-2109 and RFC-2965, check out this blog post.

This entry was posted in Uncategorized. Bookmark the permalink.

10 Responses to Tomcat 6.0.18, Version 1 Cookies, Acegi Remember Me, and IE

  1. Pete says:

    I am running into the same issue now w/ Tomcat 6.0.18 so it is not just you. I’m upgrading an app from Tomcat 4.x, and looking the cookies set by Tomcat 4 use ‘Expires’ while Tomcat 6 is using ‘Max-Age’ – which as you said freaks IE out…

    I’m looking into a solution – do you know of any?

  2. pete says:

    I’ve done some additional research on this, and it seems that the only current workaround is to write the ‘Set-Cookie’ header yourself, adding the ‘Expires=’ parameter as well – even though that renders the cookie non-standard. But FireFox and other browser’s don’t seem to mind the extra parameter being there.

  3. Ramesh says:

    is this still not resolved ? I’m facing the exact same problem..I would appreciate any suggestions..

  4. Ramesh says:

    Ok, this is being fixed in Tomcat 6.0.19
    https://issues.apache.org/bugzilla/show_bug.cgi?id=46403
    Thanks,
    Ramesh

  5. Hen says:

    It also is in the 5.5.x SVN branch, so presumably will be in a 5.5.28 release.

  6. Matt says:

    I got it to work by encoding/decoding ((w/URLSafe parameter) the contents of the cookie with this Base64 class http://iharder.sourceforge.net/current/java/base64/

    I think it was the equal sign (=) at the end of the contents causing the problem.

  7. Naveen says:

    Still an issue with Tomcat 6.0.20, have to urlencode to get it working.

  8. sean says:

    This has been fixed on tomcat6.0.24

    TokenBasedRememberMeServices class, itself part of Acegi, that sets a cookie whose value is the Base64 encoded representation of your username, an expiration time and another string, long story short the value ends up looking something like this: YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw==) then Tomcat will end up wrapping the cookie value in quotes, will set the Version to 1 and … well, did you know that when you set the version of a cookie to 1 that the cookie looks different? Here’s Tomcat setting the cookie pre-6.0.16:

  9. rosh says:

    I check on tomcat6.0.24. Issue is still there.

  10. Rob Hall says:

    I ran into this problem today w/ Tomcat 7.0.25. Issue is still there. Had to do .replace(/”/g, “”) to strip the quotes around the cookie value in Javascript on the UI to use the cookie value.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>