Re: [Winstone-devel] Invalid cookie name breaking webapp

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Strictly speaking, Winstone should throw a 400 error instead of a 500 
error in this case, but whatever the error, the request is invalid, so 
the container can't (and shouldn't be able to) handle it.

There really isn't any question of "robustness" here, just that
a) the browser shouldn't allow receipt of cookies like that and
b) the server that set them shouldn't send them

The server receiving the cookies shouldn't have any responsibility at 
all for repairing badly formatted requests. Any guesses would be likely 
wrong and propagate the error to somewhere it shouldn't go.

I'd like to know more about when this illegal cookie appeared. If 
winstone set it, I need to block that. I also would like to know which 
browser received and propagated it ... most browsers don't allow this 
kind of cookie anyway. Do you know which browser it was ?

Thanks,

Rick

JLIST wrote:
> I got this error when I first start a webapp (from a .war file)
> on localhost:8080, the browser shows a blank page:
>
> [Winstone 2008/04/19 23:38:31] - Error within request handler thread
> java.lang.IllegalArgumentException: Cookie name contains whitespace or non-alphanumeric char:   in S
> et-Cookie: mycookie-id
>         at javax.servlet.http.Cookie.setName(Cookie.java:87)
>         at javax.servlet.http.Cookie.<init>(Cookie.java:25)
>         at winstone.WinstoneRequest.parseCookieLine(WinstoneRequest.java:662)
>         at winstone.WinstoneRequest.parseHeaders(WinstoneRequest.java:617)
>         at winstone.HttpListener.parseHeaders(HttpListener.java:386)
>         at winstone.HttpListener.parseURI(HttpListener.java:249)
>         at winstone.RequestHandlerThread.run(RequestHandlerThread.java:87)
>         at java.lang.Thread.run(Unknown Source)
>
> Then I deleted cookies for localhost, the webapp started working.
> So what happened could be that I ran another server on localhost:8080
> before and browser got some cookies stored from then.
>
> My question is, should the invalid cookies break the webservice
> like they are now, or should they just be ignored, because you
> can never prevent browsers to send invalid cookies? I think the
> latter makes the servlet container more robust.
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
> Don't miss this year's exciting event. There's still time to save $100. 
> Use priority code J8TL2D2. 
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Winstone-devel mailing list
> Win...@li...
> https://lists.sourceforge.net/lists/listinfo/winstone-devel
>   