[jboss-jira] [JBoss JIRA] Commented: (JBAS-7372) Base 64 encoded cookie containing '=' is getting truncated

Darryl Miles (JIRA) jira-events at lists.jboss.org
Wed Oct 14 10:31:06 EDT 2009 

    [ https://jira.jboss.org/jira/browse/JBAS-7372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12489833#action_12489833 ] 

Darryl Miles commented on JBAS-7372:
------------------------------------

http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java looks like where the action happens in particular .

In particular org.apache.tomcat.util.http.Cookies#processCookieHeader(byte bytes[], int off, int len)


To the reporter, can you cite some ASP.NET cookie examples from both the ASP.NET end (the original) and what you see using Servlet Spec APIs cookie access function.   Can you also generate many ASP.NET cookies and see if the character "/" is ever used in them, this is a standard base64 character set is:

    ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

The "/" slash is considered illegal, so maybe ASP.NET substitutes it for another character ?  It would be good to rule that issue out.

The "=" character is the base64 end padding character.  Not part of the character-set as such since it does not represent any data but merely used to pad and is usually present (if at all) at the end of the base64 string.

I guess since the "/" is an illegal character for historic compatibility reasons that ASP.NET must be using a modified/non-standard base64 generator, which should not be called base64.


>From a cookie point of view the VALUE is transparent and only the first "=" has special meaning and the whitespace after it (if any) does not form part of the value, but any other valid characters after do.  So the question is according to the original (de-facto) cookie specification and updates to that specification what constitutes "valid characters" and is there some leeway for having a relaxed specification mode for interoperability purposes reasons (even if strict conformance is the default).


> Base 64 encoded cookie containing '=' is getting truncated
> ----------------------------------------------------------
>
>                 Key: JBAS-7372
>                 URL: https://jira.jboss.org/jira/browse/JBAS-7372
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: JBossAS-5.1.0.GA
>         Environment: WinXP + JBoss 5.1.0 GA
> Windows 2003 IIS 6.0 used to create cookie
>            Reporter: Sangeetha Radhakrishnan
>
> Hi,
> My application running in JBoss 5.1.0 GA has to do authentication using Base 64 encoded cookie which is created by another 3rd party application running on IIS. While reading the cookie from the request object, the '=' got truncated, as JBoss 5.1.0 GA considering it as invalid cookie character. I cann't change the  '=' to some other characters like '_' before adding the cookie, becuase the cookie was created by 3rd party appliation which is running on IIS. Even I have tried by setting the STRICT_SERVLET_COMPLIANCE=false, it is not switching the invalid cookie characters to valid cookie character if cookie is created by another application running on IIS.
> Steps to re-produce:
> 1. Write an application called 'dotNetApp1' to Create cookie called "AthuNCookie".
> 2. Deploy this application on IIS 6.0
> 3. Write a simple WebApplication called 'javaApp1' to read the "AthuNCookie" from the browser/request object.
> 4. Deploy this web application in JBoss 5.1.0 GA. 
> 5. Access "http://hostname/dotNetApp1" - this will create 'AuthNCookie" in the browser.
> 6. In the same browser, change the URL to "http://hostname:8080/javaApp1" to read the "AuthNCookie"
> Could you please let me know is JBoss patch available for this issue or any work-around also will be fine.
> In case if patch or work-around is not available, let me know Which JBoss version consider '=' as valid cookie character.
> Thank You!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list