Why do cookie values with whitespace arrive at the client side with quotes?

by

When you set a cookie value with one of the following values as mentioned in Cookie#setValue(),

With Version 0 cookies, values should not contain white space, brackets, parentheses, equals signs, commas, double quotes, slashes, question marks, at signs, colons, and semicolons. Empty values may not behave the same way on all browsers.

then the average container will implicitly set the cookie to version 1 (RFC 2109 spec) instead of the default version 0 (Netscape spec). The behaviour is not specified by the Servlet API, the container is free to implement it (it may for example throw some IllegalArgumentException). As far as I know, Tomcat, JBoss AS and Glassfish behave all the same with regard to implicitly changing the cookie version. For at least Tomcat and JBoss AS this is the consequence of fixes for this security issue.

A version 1 cookie look like this:

name="value with spaces";Max-Age=3600;Path=/;Version=1

while a version 0 compatible cookie look like this:

name=value%20with%20spaces;Expires=Mon, 29-Aug-2011 14:30:00 GMT;Path=/

(note that an URL-encoded value is valid for version 0)

Important note is that Microsoft Internet Explorer doesn’t support version 1 cookies. Even not the current IE 11 release. It’ll interpret the quotes being part of the whole cookie value and will treat and return that accordingly. It does not support the Max-Age attribute and it’ll ignore it altogether which causes that the cookie’s lifetime defaults to the browser session. You was apparently using IE to test the cookie handling of your webapp.

To support MSIE as well, you really need to URL-encode and URL-decode the cookie value yourself if it contains possibly characters which are invalid for version 0.

Cookie cookie = new Cookie(name, URLEncoder.encode(value, "UTF-8"));
// ...

and

String value = URLDecoder.decode(cookie.getValue(), "UTF-8"));
// ...

In order to support version 1 cookies for the worldwide audience, you’ll really wait for Microsoft to fix the lack of MSIE support and that the browser with the fix has become mainstream. In other words, it’ll take ages (update: as of now, 5+ years later, it doesn’t seem to ever going to happen). In the meanwhile you’d best stick to version 0 compatible cookies.

More Related Contents:

  1. Where to place and how to read configuration resource files in servlet based application?
  2. Difference between / and /* in servlet mapping url pattern
  3. java.lang.IllegalStateException: Cannot (forward | sendRedirect | create session) after response has been committed
  4. How to save generated file temporarily in servlet based web application
  5. How do I get the remote address of a client in servlet?
  6. Submitting form to Servlet which interacts with database results in blank page
  7. Servlet and path parameters like /xyz/{value}/test, how to map in web.xml?
  8. Change default homepage in root path to servlet with doGet
  9. @WebServlet annotation with Tomcat 7
  10. java.lang.ClassNotFoundException: HttpServletRequest
  11. HTTP Status 405 – HTTP method is not supported by this URL
  12. How do I execute multiple servlets in sequence?
  13. @WebServlet fails in Netbeans 11.0 with java.lang.RuntimeException: com.example.NewServlet.(NewServlet.java:1)
  14. HTTP request parameters are not available by request.getAttribute()
  15. How to define servlet filter order of execution using annotations in WAR
  16. How do you remove a Cookie in a Java Servlet
  17. How to find the working folder of a servlet based application in order to load resources
  18. Value passed with request.setAttribute() is not available by request.getParameter()
  19. How to solve this java.lang.NoClassDefFoundError: org/apache/commons/io/output/DeferredFileOutputStream?
  20. request.getQueryString() seems to need some encoding
  21. Differences between cookies and sessions?
  22. How do delete a HTTP response header?
  23. Google Recaptcha v3 example demo
  24. Disable save button in Adobe PDF reader and hide menu bar in IE window
  25. Servlet filter runs in infinite redirect loop when user is not logged in
  26. could not find Factory: javax.faces.context.FacesContextFactory
  27. @WebServlet annotation doesn’t work with Tomcat 8
  28. Moving resources under WEB-INF
  29. Best option for Session management in Java
  30. Wildcard path for servlet?

Leave a Comment