[seam-issues] [JBoss JIRA] Commented: (JBSEAM-3908) RememberMe on JBoss 5 loses part of the username when formatted as an email address

Thu Feb 18 05:48:10 EST 2010

    [ https://jira.jboss.org/jira/browse/JBSEAM-3908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12515177#action_12515177 ] 

Wulf Rowek commented on JBSEAM-3908:
------------------------------------

this issue has the same cause like https://jira.jboss.org/jira/browse/JBSEAM-4398:

i found out the org.jboss.seam.faces.Selector, which is used to store the username as an cookie to remember it, uses version 0 (netscape spec) cookies.

version 0 cookies can contain any chars in value w/o quoting it, except ',', ';' and ' '.

in version 1 (RFC 2965 in conjunction with RFC 2616) rejecting more chars (i.e. '@') in an unqouted cookie value.

it seams to be that tomcat recognizes version 0 cookies when sending them in an http response, so it doesn't force quoting the value unless there is one of ',', ';' or ' ' in the value. org.apache.tomcat.util.http.ServerCookie (with on exeption: one can set a system property org.apache.catalina.STRICT_SERVLET_COMPLIANCE = false, in this case a version 0 cookie will be handled as version 1 when processing the value for quoting).

but tomcat parse receibing cookies in request only in a version 1 way (org.apache.tomcat.util.http.Cookies), thus truncating an unqouted string on occurence of a separator char like '@' or '='.

my suggestion is to use version-1-conform cookies in org.jboss.seam.faces.Selector. just setting cookie.setVersion(1); in setCookieValueIfEnabled.

> RememberMe on JBoss 5 loses part of the username when formatted as an email address
> -----------------------------------------------------------------------------------
>
>                 Key: JBSEAM-3908
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3908
>             Project: Seam
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.1.1.CR1, 2.1.1.GA
>         Environment: JBoss 5.0.0.GA
> Java 1.6.0_07
> Mac OS X 10.5.6
> Both Firefox 3.0.5 and Safari 3.2.1
>            Reporter: Cameron Fieber
>            Assignee: Shane Bryzak
>
> This is reproducable with the seam-space sample application:
> # Deploy seam-space on JBoss 5.0.0.GA
> # Sign up for a new account, and for username use an email address (user at host.net)
> # Sign out.
> # Sign in with the username and password with 'Remember Me' checked
> # Sign out.  You should notice that the username that is autopopulated is only 'user' not 'user at host.net'
> I've tested it on both 2.1.1.CR1 and 2.1.1.GA.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira