Wednesday 28 January 2009

Banned Characters in Cookies in Tomcat

I was recently asked to look into why we had a problem with "[]" (square brackets) that were being passed to us as part of an affiliate id, eg: "SF_1234_[345]".

It seems we were saving the value to a cookie. This works fine if you check the cookie values in the browser. However, when we tried to pull the value in Tomcat, it got truncated to "SF_1234_"

After some painfull research... I finally found a page on the Tomcat buglist that clarifies the issue, and breaks down the RFCs to manageable information.

The upshot it quite simple.

The following characters should never be used in an unquoted cookie value.

()<>@,;:\\\"/[]?={} \t

While they will work on some systems, anything that implements the RFC properly will break. As happened to us with Tomcat.

1 comment: