tracker issue : CF-3608332

select a category, or use search below
(searches all categories and all time range)

CFCOOKIE setting empty string with double quotes on the client side

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Jae Jung / Jae Jung (jsjung35)

Created: 08/06/2013

Components: Core Runtime, Session Management

Versions: 10.0

Failure Type:

Found In Build/Fixed In Build: Final / 287384

Priority/Frequency: Major / All users will encounter

Locale/System: English / Win 2008 Server R2 64 bit

Vote Count: 0

Problem Description:
When setting the CFCOOKIE to an empty string the client side browser shows that ColdFusion placed double quotes as the value.
Steps to Reproduce:
Set the CFCOOKIE with the value="" then inspect the cookie on the browser side and you will see a double quote
Actual Result:
The actual result on the client side should be an empty string with no value
Expected Result:

Any Workarounds:
Initially set the cookie from the client side then set a value in CFCOOKIE.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3608332

Deployment Phase:	Release Candidate

External Customer Info:
External Company:  
External Customer Name: jsjung35
External Customer Email:  
External Test Config: My Hardware and Environment details:



The issue is when checking for an empty string in the JavaScript it is failing since there is a value. My previous code that checked for empty string is now failing.
Comment by External U.
14738 | August 06, 2013 04:30:38 PM GMT
CFCookie and Cookie in script Bug Number: CF-3608332 Reviewer: Alty Description: Empty cookie value was getting added as "" i.e. double quotes characters. This is a bug with Tomcat. Logged tomcat bug 55867. For now if cookie value is empty we will add this cookie as SET-Cookie header instead of calling response.addCookie method. Smokes Passed: Yes Note for QA: yes, run cookie tests Note for Doc: no Note for IDE: no Integrate to Beta: no (Comment added from ex-user id:shilpik)
Comment by Adobe D.
14739 | December 12, 2013 07:00:39 AM GMT
Comments from Tomcat bug. Looks like we will not get a fix from tomcat. [reply] [?] Description Shilpi 2013-12-12 07:15:00 UTC When Cookie value is empty, double quotes are added. Example if cookie is following - name = test value = the resultant cookie in the client is test = "" Tried using org.apache.tomcat.util.http.ServerCookie.ALLOW_NAME_ONLY property, but it has no effect. [reply] [?] Comment 1 Christopher Schultz 2013-12-12 14:30:20 UTC RFC2109 says that values are tokens or quoted-values, and whitespace is allowed around tokens, equals signs, etc. Using value="" seems entirely appropriate. RFC2109 also says that the cookie value is opaque to the client and only has meaning to the server. Since the server decided to add the double-quotes, it should be able to handle the cookie value coming back to it. Why is this a bug? [reply] [?] Comment 2 Shilpi 2013-12-13 03:28:12 UTC This creates a problem if the cookie value is validated or checked in some other system/server/component. As there an empty cookie was expected. org.apache.tomcat.util.http.ServerCookie.ALLOW_NAME_ONLY property is honored while reading request cookies, Can we also not use the same while setting cookies? [reply] [?] Comment 3 Mark Thomas 2013-12-13 11:52:55 UTC Generally Tomcat follows the principle of being flexible in what it accepts and strict about what it sends. This means that some bending of the specifications is permitted when processing input where there is no risk of any harm being done but anything sent by Tomcat will always be specification compliant. None of the cookie specs I am aware of allow name only cookies so while Tomcat can optionally be configured to accept them, Tomcat will never send one. Note that even RFC6265 states that such a cookie should be ignored. I'll also mention at this point that Tomcat takes a slightly less tolerant view of non-compliant cookies (requiring an explicit option to be set to process them) due to past security issues involving malformed cookies. If some other system can't handle a specification compliant cookie with a name-value pair of test="" then that is a bug in that system. The Tomcat project generally avoids adding workarounds for 3rd party components that can't process specification compliant responses. Expand (Comment added from ex-user id:shilpik)
Comment by Adobe D.
14740 | December 13, 2013 06:38:43 AM GMT