A cookie header was received that contained an invalid cookie.

Question

I am migrating my Server from Tomcat-6 to Tomcat-9. My website is designed for the protocol of HTTP/1.1 . The server.xml file contains the Connector Protocol of org.apache.coyote.http11.Http11NioProtocol . The server starts up normally without generating any errors. However, when I try to access my website using localhost, I get the following error :-

INFO [https-nio-8445-exec-3] org.apache.tomcat.util.http.parser.Cookie.logInvalidHeader A cookie header was received [ 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 21, 22, 23]; userId=53136] that contained an invalid cookie. That cookie will be ignored.Note: further occurrences of this error will be logged at DEBUG level.

Can anyone please tell me the reason for this error? What causes an invalid cookie? Can this error be avoided if I use a different connector?

Answer 1

I found the API deployed on tomcat able to grab the cookies when I send a cURL request, though there was tomcat warning.

curl -XPOST -H "Content-Type: application/json"  --cookie "userId=64ad960c-bb7e-48dd-8191-4f31539bc2c2,accessToken=64ad960c-bb7e-48dd-8191-4f31539bc2c2" -d '{"message":"play porcupine tree"}' http://localhost:9090/nlu/convo

But to remove the warning, had to update cookie processor (LegacyCookieProcessor) in the tomcat config (conf/context.xml)

Example,

cat /usr/local/apache-tomcat-8.5.12/conf/context.xml 
<?xml version="1.0" encoding="UTF-8"?>
<!-- The contents of this file will be loaded for each web application -->
<Context>

    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

    <!--
    <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" />
    -->

    <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />

</Context>

I thought org.apache.tomcat.util.http.Rfc6265CookieProcessor would work but did not, LegacyCookieProcessor is required.

Reference

https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html#Legacy_Cookie_Processor_-_org.apache.tomcat.util.http.LegacyCookieProcessor

https://www.rfc-editor.org/rfc/rfc6265

LegacyCookieProcessor implements a strict interpretation of the cookie specifications. Due to various interoperability issues with browsers not all strict behaviours are enabled by default and additional options are available to further relax the behaviour of this cookie processor if required.

Answer 2

i was getting this issue with spring boot of version above 2.2.x

it got fixed after adding below bean

public WebServerFactoryCustomizer<TomcatServletWebServerFactory> cookieProcessorCustomizer() {
    return tomcatServletWebServerFactory -> tomcatServletWebServerFactory.addContextCustomizers((TomcatContextCustomizer) context -> {
      context.setCookieProcessor(new LegacyCookieProcessor());
    });
  }

Answer 3

Fwiw: I somehow got my Chrome browser into a really b0rken state, getting it to send a malformed cookie with mismatched quotes: "XSRF-TOKEN=93926112-aa12-440e-8e06-02b7fbce27d5;

Just clearing the cookie from the developer tools wasn't sufficient, but Clear storage from the sidebar of the Application tab seems to have done it.