The Cookie Processor Component
Table of Contents
Introduction
The CookieProcessor element represents the component that
parses received cookie headers into javax.servlet.http.Cookie
objects accessible through HttpServletRequest.getCookies()
and
converts javax.servlet.http.Cookie
objects added to the response
through HttpServletResponse.addCookie()
to the HTTP headers
returned to the client.
A CookieProcessor element MAY be nested inside a Context component. If it is not included, a default implementation will be created automatically.
Note: CookieProcessor is a new configuration element, introduced in Tomcat 8.0.15.
- The CookieProcessor element allows different cookie
parsing configuration in each web application, or globally in the default
conf/context.xml
file. The legacy cookie parsing algorithm supported only limited global configuration via several system properties. Those system properties are still supported, but are going to be deprecated in favor of this new configuration element. - The new RFC6265-compliant implementation is a drop-in replacement for
the original legacy one. The legacy implementation remains the default. You
can select the implementation by setting
className
attribute on CookieProcessor element.
Attributes
Common Attributes
All implementations of CookieProcessor support the following attributes:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This class must
implement the |
Standard Implementation
The standard implementation of CookieProcessor is
org.apache.tomcat.util.http.LegacyCookieProcessor
. Note
that it is anticipated that this will change to
org.apache.tomcat.util.http.Rfc6265CookieProcessor
in a future
Tomcat 8 release.
This is the legacy cookie parser based on RFC6265, RFC2109 and RFC2616. It implements a strict interpretation of the cookie specifications. Due to various interoperability issues with browsers not all strict behaviours are enabled by default and additional options are available to further relax the behaviour of this cookie processor if required.
Attribute | Description |
---|---|
allowEqualsInValue |
If this is If not set the specification compliant default value of
|
allowHttpSepsInV0 |
If this is If not specified, the default specification compliant value of
|
allowNameOnly |
If this is If not set the specification compliant default value of
|
alwaysAddExpires |
If this is If |
forwardSlashIsSeparator |
If this is |
preserveCookieHeader |
If this is |
RFC 6265 Cookie Processor - org.apache.tomcat.util.http.Rfc6265CookieProcessor
This cookie processor is based on RFC6265 with the following changes to support better interoperability:
- Values 0x80 to 0xFF are permitted in cookie-octet to support the use of UTF-8 in cookie values as used by HTML 5.
- For cookies without a value, the '=' is not required after the name as some browsers do not sent it.
The RFC 6265 cookie processor is generally more lenient than the legacy cookie parser. In particular:
- The '
=
' and '/
' characters are always permitted in a cookie value. - Name only cookies are always permitted.
- The cookie header is always preserved.
No additional attributes are supported by the RFC 6265 Cookie Processor.
Nested Components
No element may be nested inside a CookieProcessor.
Special Features
No special features are associated with a CookieProcessor element.