2

I have a application deployed on tomcat 6.0.33 that generates a cookie with forward slash(/) as one of the characters in cookie value. Now for some reason tomcat is enclosing the cookie value in double quotes whenever there is forward slash present. How can I change tomcat behavior to avoid putting double quotes whenever forward slash is present in my cookie value?

N.B. I do not agree with BaluC that this is a duplicate question. I did check the other one before I posted this one. I have specifically asked in this question as to how to change tomcat behavior to remove quotes. This is totally different from the other questions where the questioner is wondering why double quotes are introduced in the first place.

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
user1639616
  • 285
  • 1
  • 5
  • 11
  • I also think there's an overlap between the two questions but I would not call them **exact** duplicates. The `SPACE` character mentioned in the other question requires encoding, while the `forward slash (/)` mentioned in this question, or the `equals sign (=)` that troubled me should be accepted **without encoding or quotes**. In fact [tomcat 8.x](https://tomcat.apache.org/tomcat-8.0-doc/config/cookie-processor.html#RFC_6265_Cookie_Processor_-_org.apache.tomcat.util.http.Rfc6265CookieProcessor) now permits them: `The '=' and '/' characters are always permitted in a cookie value.` – Kostas Filios Apr 18 '17 at 15:00
  • 2
    the answer to this question is useful for another ticket, but the one falsely marked as duplicate is not. obviously not a dupe – Nicholas DiPiazza Oct 02 '18 at 13:02
  • @NicholasDiPiazza "is not obviously not a dupe" - a strange case where removing both nots has a different meaning than the original sentence. Not obviously not a double negative. – E L Oct 20 '20 at 04:55
  • not sure what i was smokin on when i posted that lol. i think i was pointing out that the ticket that was indicated as the answer to this ticket was not a useful answer. and the answer in this ticket was a useful answer. perhaps one of those "overzealous" ticket closures. – Nicholas DiPiazza Oct 21 '20 at 12:53

2 Answers2

3

I found that the issue is with the Tomcat version. The cookie processor encloses the cookie value in quotes when it encounters forward slash. I upgraded to Tomcat 7 and those quotes are gone. The rules on cookie value are relaxed in Tomcat 7.

I further discovered that even in Tomcat 7, if there is '=' in cookie value, Tomcat encloses the value in double quotes. I overcame this by further upgrading to Tomcat 8 and then changing it's cookie processor to Rfc6265CookieProcessor.

user1639616
  • 285
  • 1
  • 5
  • 11
  • More specifically, [CookieProcessor](https://tomcat.apache.org/tomcat-8.0-doc/config/cookie-processor.html) was introduced in Tomcat 8.0.15 along with its two implementations: The old [LegacyCookieProcessor](http://grepcode.com/file/repo1.maven.org/maven2/org.apache.tomcat/tomcat-coyote/8.0.15/org/apache/tomcat/util/http/LegacyCookieProcessor.java) and the new [Rfc6265CookieProcessor](http://grepcode.com/file/repo1.maven.org/maven2/org.apache.tomcat/tomcat-coyote/8.0.15/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java) – Kostas Filios Apr 18 '17 at 14:47
  • Still happening to me in tomcat 8.3. Cookies.add(response, KEY, "!'()*-._~"); generates a quote around on the client. – mjs Aug 07 '17 at 13:57
  • Wow, kind of weird it does that. Thanks! For me, I always use a helper function getCookie, so I just now added: cookieValue = StringUtils.strip(cookieValue, "\""); – E L Oct 20 '20 at 04:59
-2

You should use rawurlencode(), not urlencode() for escaping path parts. urlencode() is misnamed, it is actually for application/x-www-form-urlencoded data such as in the query string or the body of a POST request, and not for other parts of the URL.

Adi
  • 2,074
  • 22
  • 26
  • I don't want to add any additional encoding. I want the string value to be written out just as it is without the double quotes getting introduced. – user1639616 Jul 27 '15 at 20:49
  • It is the function that yoiu are storing your cookies with, try using the rawurlencode() function and that results will be without the double quates. – Adi Jul 28 '15 at 07:56
  • URL encoding (of any sort) should not be required for the forward slash. – Kostas Filios Apr 18 '17 at 15:03