Links: 11-24-2008

Links: 11-18-2008

Tomcat 6.0.18, Version 1 Cookies, Acegi Remember Me, and IE

I’ve got to write all this out hoping that it’ll bring some clarity to what I’m seeing, here’s the stage:

  • Tomcat 6.0.16 changed the way that cookies are sent from the server to the browser IF the cookie value contained any of the following characters: “()<>@,;:\\\”[]?={} \t”, the change being that if you attempt to set a cookie while inside an application deployed in Tomcat 6.0.16, the cookie value would get wrapped in double quotes and the cookie version would get set to 1. All fine and dandy.
  • Except that as part of the fix, someone decided that the path part of the cookie should also get wrapped in double quotes and IE6 and IE7 don’t like that, in fact they’ll ignore cookies where the value of the path attribute is quoted, which led to this bug getting filed and fixed as part of the 6.0.17 release.

At least they thought it was fixed, here’s what I’m seeing: if you set a cookie that contains any of the above mentioned characters (let’s say that hypothetically you’re using the TokenBasedRememberMeServices class, itself part of Acegi, that sets a cookie whose value is the Base64 encoded representation of your username, an expiration time and another string, long story short the value ends up looking something like this: YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw==) then Tomcat will end up wrapping the cookie value in quotes, will set the Version to 1 and … well, did you know that when you set the version of a cookie to 1 that the cookie looks different? Here’s Tomcat setting the cookie pre-6.0.16:

Set-Cookie: yankeessuck=YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw==; Expires=Thu, 19-Nov-2009 02:29:29 GMT;

and here’s the same cookie being set in 6.0.18:

Set-Cookie: yankeessuck="YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw=="; Version=1; Max-Age=31536000;

See the three changes? The cookie value is quoted, the version attribute was added and … hey, look at that, the expires attribute turned into the max-age attribute. I guess that’s cool right? I mean all browsers should support RFC-2109 (which was published in 1997 and then superseded by RFC-2965), right? Well, it looks like (and this is where I’m hoping someone will prove me wrong) neither IE6, nor IE7, nor Safari honor the max-age attribute which means, drum roll please, you can’t set a persistent cookie on IE6, IE7 or Safari via Tomcat 6.0.18 that contains any of the above mentioned characters. Someone PLEASE prove me wrong.

If I’m right (and this Citrix KB doc seems to back up the IE6 / IE7 behavior I’m seeing), anyone that has deployed an Acegi-based Java web application that uses the default TokenBasedRememberMeServices on the latest version of Tomcat is 100% screwed. I’m not sure who to blame more: IE for being the lamest browser ever (although Safari doesn’t seem to like Max-Age either) or Tomcat for changing (in a pretty big way) the way they publish cookies in a point release.

For more on RFC-2109 and RFC-2965, check out this blog post.