tracker issue : CF-4203336

select a category, or use search below
(searches all categories and all time range)

Cookies containing the '@' character are truncated (i.e. those with emails)

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/Workaround

Reporter/Name(from Bugbase): Kevin Wolf / ()

Created: 09/11/2018

Components: Security

Versions: 2016,11.0,2018

Failure Type: Others

Found In Build/Fixed In Build: 11,0,14,307976 /

Priority/Frequency: Normal / Most users will encounter

Locale/System: English / Win 2012 Server x64

Vote Count: 0

Problem Description:

Attempting to reference a cookie with a value that contains an @ sign is truncated at the @ character.

Steps to Reproduce:

Create a simple cookie, containing an email address, may need to use inspector to ensure cookie value is plaintext and not url-encoded (Cf will by default if used to create cookie).  

Either dumping the cookie struct or referencing the cookie will give truncated value.


If there is a cookie named "test" with the value "":

writeOutput( cookie.test );

Actual Result:


Expected Result:

Any Workarounds:
None at the moment



Java version: 1.8.0_161
Comment by Kevin W.
29685 | September 11, 2018 10:18:34 PM GMT
Ideally you need to encode the cookies while setting it from javascript. And on the server side you can use the decoded cookie value.   Tomcat by default rejects such invalid characters in Cookie there by stripping it out the value. But RFC 6265 allows such strings there by when you enable RFC6265 cookie processor it would work. To make this work go to cfusion\runtime\conf\context.xml and comment the below <!--<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />–> Which enables tomcat to use the RFC6265 cookie processing. To support some IE version browsers and not to break backward compatibility we have fallen back to legacy cookie processor.
Comment by Kailash B.
30724 | May 14, 2019 11:52:41 AM GMT
Hi Kailash, As you've described, Tomcat 9's standard implementation of the Cookie Processor is indeed org.apache.tomcat.util.http.Rfc6265CookieProcessor. New CF developers would expect this modern processor, so effecting this undocumented workaround should be simpler than modifying an XML file. Could you please re-open to consider a CF Admin "Cookie Processor" setting, to simplify effecting the workaround you've described? Thanks!, -Aaron
Comment by Aaron N.
30738 | May 15, 2019 09:41:58 AM GMT