[GSS](7.1.0) Add optional support for RFC6265 compliant cookie validation ------------------------------------------------------------------------- Key: WFLY-9233 URL: https://issues.jboss.org/browse/WFLY-9233 Project: WildFly Issue Type: Enhancement Components: Web (Undertow) Reporter: Stuart Douglas Assignee: Stuart Douglas Priority: Blocker Labels: downstream_dependency Undertow does not conform to Set-Cookie syntax defined in the cookie specification. [RFC6265 (Section 4.1 Set-Cookie)|http://httpwg.org/specs/rfc6265.html#rfc.section.4.1] states that Servers SHOULD NOT send Set-Cookie headers that fail to conform the defined grammer. For example, cookie value should be US-ASCII characters excluding CTLs, whitespace, double quote, comma, semicolon, and backslash. However, undertow does not restrict the invalid characters. For example, when accessing the following JSP which add one of invalid characters (whitespace) to cookie value: {code} <% Cookie c = new Cookie("example","example cookie"); response.addCookie(c); %> {code} undertow responds with the following Set-Cookie format but this is not correct {{Set-Cookie}} header in RFC6265: {code} Set-Cookie: example=example cookie {code} Note: The previous cookie specifications ([RFC2109|https://tools.ietf.org/html/rfc2109#section-4.1] and [RFC2965|https://tools.ietf.org/html/rfc2965#section-3.1]) allow some characters in cookie value when the cookie value are quoted. (i.e. {{Set-Cookie: example="example cookie"}} was allowed in the old specifications.) EAP 6/JBossWeb (and Tomcat 6.0/7.0/8.0) conform to this old specification and it will automatically quotes a cookie value (also path and domain) when the value contains any seprarator characters which should be quoted.