How to change Cookie Processor to LegacyCookieProcessor in tomcat 8
You can try in context.xml
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />
reference:
https://tomcat.apache.org/tomcat-8.0-doc/config/cookie-processor.html
Use LegacyCookieProcessor without Spring Boot or context.xml on the server
Tomcat supports per application config in /META-INF/context.xml
bundled in the application package just like the web.xml
file.
That file supports the cookie processor config
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />
Can't Remove cookie from response using LegacyCookieProcessor and redirect to same originating URL
Problem Statement: User-agent (IE) is unable to process (remove) cookie using 'Set-Cookie' header
Relevant diff between Tomcat 8 & 9:
Tomcat 8
- LegacyCookieProcessor is default cookie processor
- there is significance of Tomcat VM param FWD_SLASH_IS_SEPARATOR
- strict compliance with RFC2109
Tomcat 9
- Rfc6265CookieProcessor is default cookie processor
- there is no significance of tomcat VM param FWD_SLASH_IS_SEPARATOR
Relevant diff between cookie processors:
The legacy cookie parsing algorithm supported only limited global configuration via several system properties. Those system properties are still supported, but are going to be deprecated in favor of this new configuration element.
ref: tomcat-8.0, tomcat-8.5
LegacyCookieProcessor
- implements a strict interpretation of the cookie specifications if
- STRICT_SERVLET_COMPLIANCE is true, RFC2109 is enforced
Rfc6265CookieProcessor
- interoperable, but does not allow domain stating with dot (.)
Combination used: Tomcat9 + LegacyCookieProcessor
- If STRICT_SERVLET_COMPLIANCE is set to true, then implicit value of FWD_SLASH_IS_SEPARATOR is also set to true
- And '/' (forward slash) character will be treated as a separator
- "some browsers will fail to process a cookie if the path attribute is quoted as is required by a strict adherence to the specifications"
- usually we run Tomcat with the following:
org.apache.catalina. STRICT_SERVLET_COMPLIANCE=true, org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false - Hence, in order to change this behaviour, make use of forwardSlashIsSeparator attribute in LegacyCookieProcessor, instead of FWD_SLASH_IS_SEPARATOR in Tomcat 9
Solution:
Replace VM param FWD_SLASH_IS_SEPARATOR with LegacyCookieProcessor.forwardSlashIsSeparator attribute under context.xml/CookieProcessor
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" forwardSlashIsSeparator="false"/>
Ref:
RFC2109 - https://www.ietf.org/rfc/rfc2109.txt
RFC6265 - https://www.ietf.org/rfc/rfc6265.txt
A cookie header was received that contained an invalid cookie.
I found the API deployed on tomcat able to grab the cookies when I send a cURL request, though there was tomcat warning.
curl -XPOST -H "Content-Type: application/json" --cookie "userId=64ad960c-bb7e-48dd-8191-4f31539bc2c2,accessToken=64ad960c-bb7e-48dd-8191-4f31539bc2c2" -d '{"message":"play porcupine tree"}' http://localhost:9090/nlu/convo
But to remove the warning, had to update cookie processor (LegacyCookieProcessor
) in the tomcat config (conf/context.xml
)
Example,
cat /usr/local/apache-tomcat-8.5.12/conf/context.xml
<?xml version="1.0" encoding="UTF-8"?>
<!-- The contents of this file will be loaded for each web application -->
<Context>
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
<!--
<CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" />
-->
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />
</Context>
I thought org.apache.tomcat.util.http.Rfc6265CookieProcessor
would work but did not, LegacyCookieProcessor
is required.
Reference
https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html#Legacy_Cookie_Processor_-_org.apache.tomcat.util.http.LegacyCookieProcessor
https://www.rfc-editor.org/rfc/rfc6265
LegacyCookieProcessor
implements a strict interpretation of the cookie specifications.
Due to various interoperability issues with browsers not all strict
behaviours are enabled by default and additional options are available
to further relax the behaviour of this cookie processor if required.
Error with cookie-value when adding a new Spring Session
This is due to Tomcat's cookie processing being changed to a RFC 6265 compliant implementation by default in 8.5, which does not allow space (character 32), among others.
As a workaround, you can configure Tomcat to use legacy cookie processor. To do this with Spring Boot, register an EmbeddedServletContainerCustomizer
@Bean
like this:
@Bean
public EmbeddedServletContainerCustomizer customizer() {
return container -> {
if (container instanceof TomcatEmbeddedServletContainerFactory) {
TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
tomcat.addContextCustomizers(context -> context.setCookieProcessor(new LegacyCookieProcessor()));
}
};
}
Also see spring-projects/spring-session#gh-605 to track the progress of fixing this in Spring Session.
Update:
The above described solution is valid for Spring Boot 1.x. Starting with Spring Boot 2.0, EmbeddedServletContainerCustomizer
has been replaced with WebServerFactoryCustomizer
as described in the Spring Boot 2.0 migration guide.
Also note that starting with Spring Session 2.0, session cookie is Base64 encoded by default which prevents the original problem from occurring.
An invalid domain was specified for this cookie
According to RFC 6265 ( https://www.rfc-editor.org/rfc/rfc6265) starting with a .
(dot) character may cause problems.
You could try to fallback to the LegacyCookieProcessor, see: How to change Cookie Processor to LegacyCookieProcessor in tomcat 8 for more info .
If you still have problems please inform us about your TC version.
Related Topics
Split Comma Separated Values in Java, Int and String
Time Complexity of Hashmap Methods
Javac Option to Compile All Java Files Under a Given Directory Recursively
Cannot Load Driver Class: Com.Mysql.Jdbc.Driver Spring Boot
Spring Boot Required Request Part 'File' Is Not Present
How to Pass Variables Between Cucumber-Jvm Steps
How to Inject a Map Using the @Value Spring Annotation
How to Wait for All Threads to Finish, Using Executorservice
How to Remove Duplicate and Sort Objects from Jsonarray Using Java
Password Validate 8 Digits, Contains Upper, Lowercase, and a Special Character
How to Specify the Required Java Version in a Gradle Build
Spring Webclient: How to Stream Large Byte[] to File
How to Encrypt a String/Stream With Bouncycastle Pgp Without Starting With a File
How to Get Access to Job Parameters from Itemreader, in Spring Batch
Rounded Swing Jbutton Using Java
How to Remove the Slashes from Json Key While Converting Object into String