Hey Alessio,

Well, that's a good question.

I guess the first thing to notice is that JBEAP-11442 refers to "optional support for RFC6265" in Undertow, so there's nothing being forced on us.

There are 25 Resteasy JIRAs that mention cookies.

  1. A lot of these are old and I've ignored them.

  2. There are a few issues closed by me, Jim, and Rebecca that are bug fixes, and, as such, I don't think they can cause any problems, since they would just, if anything, bring us closer to correct implementation of the spec (but see below).

  3. And then there's RESTEASY-1516 "Cookies sent by resteasy-client are not spec compliant" (open) and the related RESTEASY-1266 "Fix cookie processing" (closed).

I started to get ambitious in RESTEASY-1266 and then just did a bug fix and closed it. That leaves RESTEASY-1516, for which I created  https://github.com/jax-rs/api/issues/554 "Clarify documentation ambiguities", which refers to https://github.com/jax-rs/api/issues/435 "Update Cookie and NewCookie to RFC 6265". There doesn't seem to be any reaction to either of them.

The problem is that the JAX-RS spec (specifically javax.ws.rs.core.Cookie and javax.ws.rs.core.NewCookie) refer to IETF RFC 2109, which is now obsolete. It seems to me that the Expert Group should at least do something like what Undertow is doing, by making the Cookie spec configurable.

Until then, I guess the most we could do is add an option to configure which Cookie spec to use, taking advantage of what they've done in Undertow. I don't have any sense of how useful that would be.


On 08/17/2017 02:37 AM, Alessio Soldano wrote:
Thanks for having shared this, Ron.
Do you expect us having to revisit any of the decisions we have taken so far regarding issues related to cookies?

On Thu, Aug 17, 2017 at 2:41 AM, Ron Sigal <rsigal@redhat.com> wrote:
We've talked in the past about the ambiguity in the JAX-RS spec
concerning cookies. I just noticed this issue:

    https://issues.jboss.org/browse/JBEAP-11442 "[GSS](7.0.z) Add
optional support for RFC6265 compliant cookie validation"

Not that there's anything we need to do about.I just thought it might be
worth knowing about.

My company's smarter than your company (unless you work for Red Hat)

resteasy-dev mailing list

My company's smarter than your company (unless you work for Red Hat)