[seam-issues] [JBoss JIRA] (JBSEAM-4398) RememberMe Issue - Base 64 encoded cookie containing '=' is not processed correctly in some cases

Chaithali R (JIRA) jira-events at lists.jboss.org
Mon Oct 1 02:23:03 EDT 2012

    [ https://issues.jboss.org/browse/JBSEAM-4398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12722705#comment-12722705 ] 

Chaithali R commented on JBSEAM-4398:

We have been using Jboss-seam 2.2.0 GA but unable to find catch for this. Shane Can you provide me the patch for the same.

> RememberMe Issue - Base 64 encoded cookie containing '=' is not processed correctly in some cases
> -------------------------------------------------------------------------------------------------
>                 Key: JBSEAM-4398
>                 URL: https://issues.jboss.org/browse/JBSEAM-4398
>             Project: Seam 2
>          Issue Type: Bug
>    Affects Versions: 2.1.2.GA, 2.2.0.GA
>         Environment: Observed on Windows Vista, JBoss 5.1.0 GA.  Problem likely exists on other operating systems and other Tomcat 6 based systems.
>            Reporter: Peter Goldstein
>            Assignee: Shane Bryzak
>             Fix For: The future
> When attempting to use the RememberMe component in auto-login mode I discovered a bug in the cookie handling of this component.
> When attempting to log using an auth token I was encountering repeated failures - the token was simply not being found in the database. After some investigation I discovered that the problem was that the value parameter passed into the query was truncated by one character - the last character was cut off.
> I tracked the problem further back, and discovered that the truncated value originated in JBoss' Tomcat. The cookie value being passed in was missing the last two '=' characters.
> Some Google searching revealed that this was deliberate - Tomcat 6 in the JBoss 5.1.0 GA configuration enforces strict character rules in the cookie value, which excludes '='.
> I'm not sure if Tomcat 6 is 'right' or not, but I do know that either way, this is a trivial issue to address on the Seam side.
> All one has to do is replace the '=' from the Base64 encoded token value with another allowed character (say '_' or '-') before placing it in a cookie, and reverse the process when reading a cookie.
> I have a patch for this issue on the 2.2.0 GA code.  I simply need to know how to submit it.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list