How to Change Cookie Processor to Legacycookieprocessor in Tomcat 8

How to change Cookie Processor to LegacyCookieProcessor in tomcat 8

You can try in context.xml

<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />

reference:
https://tomcat.apache.org/tomcat-8.0-doc/config/cookie-processor.html

Use LegacyCookieProcessor without Spring Boot or context.xml on the server

Tomcat supports per application config in /META-INF/context.xml bundled in the application package just like the web.xml file.

That file supports the cookie processor config

<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />

Can't Remove cookie from response using LegacyCookieProcessor and redirect to same originating URL

Problem Statement: User-agent (IE) is unable to process (remove) cookie using 'Set-Cookie' header

Relevant diff between Tomcat 8 & 9:

Tomcat 8

• LegacyCookieProcessor is default cookie processor
• there is significance of Tomcat VM param FWD_SLASH_IS_SEPARATOR
• strict compliance with RFC2109

Tomcat 9

• Rfc6265CookieProcessor is default cookie processor
• there is no significance of tomcat VM param FWD_SLASH_IS_SEPARATOR

Relevant diff between cookie processors:
The legacy cookie parsing algorithm supported only limited global configuration via several system properties. Those system properties are still supported, but are going to be deprecated in favor of this new configuration element.
ref: tomcat-8.0, tomcat-8.5

LegacyCookieProcessor

• implements a strict interpretation of the cookie specifications if
• STRICT_SERVLET_COMPLIANCE is true, RFC2109 is enforced

Rfc6265CookieProcessor

• interoperable, but does not allow domain stating with dot (.)

Combination used: Tomcat9 + LegacyCookieProcessor

• If STRICT_SERVLET_COMPLIANCE is set to true, then implicit value of FWD_SLASH_IS_SEPARATOR is also set to true
• And '/' (forward slash) character will be treated as a separator
• "some browsers will fail to process a cookie if the path attribute is quoted as is required by a strict adherence to the specifications"
• usually we run Tomcat with the following:
  org.apache.catalina. STRICT_SERVLET_COMPLIANCE=true, org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false
• Hence, in order to change this behaviour, make use of forwardSlashIsSeparator attribute in LegacyCookieProcessor, instead of FWD_SLASH_IS_SEPARATOR in Tomcat 9

Solution:
Replace VM param FWD_SLASH_IS_SEPARATOR with LegacyCookieProcessor.forwardSlashIsSeparator attribute under context.xml/CookieProcessor

<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" forwardSlashIsSeparator="false"/>

Ref:
RFC2109 - https://www.ietf.org/rfc/rfc2109.txt
RFC6265 - https://www.ietf.org/rfc/rfc6265.txt

A cookie header was received that contained an invalid cookie.

I found the API deployed on tomcat able to grab the cookies when I send a cURL request, though there was tomcat warning.

curl -XPOST -H "Content-Type: application/json"  --cookie "userId=64ad960c-bb7e-48dd-8191-4f31539bc2c2,accessToken=64ad960c-bb7e-48dd-8191-4f31539bc2c2" -d '{"message":"play porcupine tree"}' http://localhost:9090/nlu/convo

But to remove the warning, had to update cookie processor (LegacyCookieProcessor) in the tomcat config (conf/context.xml)

Example,

cat /usr/local/apache-tomcat-8.5.12/conf/context.xml 
<?xml version="1.0" encoding="UTF-8"?>
<!-- The contents of this file will be loaded for each web application -->
<Context>

    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

    <!--
    <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" />
    -->

    <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />

</Context>

I thought org.apache.tomcat.util.http.Rfc6265CookieProcessor would work but did not, LegacyCookieProcessor is required.

Reference

https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html#Legacy_Cookie_Processor_-_org.apache.tomcat.util.http.LegacyCookieProcessor

https://www.rfc-editor.org/rfc/rfc6265

LegacyCookieProcessor implements a strict interpretation of the cookie specifications.
Due to various interoperability issues with browsers not all strict
behaviours are enabled by default and additional options are available
to further relax the behaviour of this cookie processor if required.

Error with cookie-value when adding a new Spring Session

This is due to Tomcat's cookie processing being changed to a RFC 6265 compliant implementation by default in 8.5, which does not allow space (character 32), among others.

As a workaround, you can configure Tomcat to use legacy cookie processor. To do this with Spring Boot, register an EmbeddedServletContainerCustomizer @Bean like this:

@Bean
public EmbeddedServletContainerCustomizer customizer() {
    return container -> {
        if (container instanceof TomcatEmbeddedServletContainerFactory) {
            TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
            tomcat.addContextCustomizers(context -> context.setCookieProcessor(new LegacyCookieProcessor()));
        }
    };
}

Also see spring-projects/spring-session#gh-605 to track the progress of fixing this in Spring Session.

Update:

The above described solution is valid for Spring Boot 1.x. Starting with Spring Boot 2.0, EmbeddedServletContainerCustomizer has been replaced with WebServerFactoryCustomizer as described in the Spring Boot 2.0 migration guide.

Also note that starting with Spring Session 2.0, session cookie is Base64 encoded by default which prevents the original problem from occurring.

An invalid domain was specified for this cookie

According to RFC 6265 ( https://www.rfc-editor.org/rfc/rfc6265) starting with a . (dot) character may cause problems.

You could try to fallback to the LegacyCookieProcessor, see: How to change Cookie Processor to LegacyCookieProcessor in tomcat 8 for more info .

If you still have problems please inform us about your TC version.

---

Related Topics