Re: [Winstone-devel] Invalid cookie name breaking webapp
Status: Beta
Brought to you by:
rickknowles
From: Rick K. <ri...@kn...> - 2008-04-20 12:38:56
|
Strictly speaking, Winstone should throw a 400 error instead of a 500 error in this case, but whatever the error, the request is invalid, so the container can't (and shouldn't be able to) handle it. There really isn't any question of "robustness" here, just that a) the browser shouldn't allow receipt of cookies like that and b) the server that set them shouldn't send them The server receiving the cookies shouldn't have any responsibility at all for repairing badly formatted requests. Any guesses would be likely wrong and propagate the error to somewhere it shouldn't go. I'd like to know more about when this illegal cookie appeared. If winstone set it, I need to block that. I also would like to know which browser received and propagated it ... most browsers don't allow this kind of cookie anyway. Do you know which browser it was ? Thanks, Rick JLIST wrote: > I got this error when I first start a webapp (from a .war file) > on localhost:8080, the browser shows a blank page: > > [Winstone 2008/04/19 23:38:31] - Error within request handler thread > java.lang.IllegalArgumentException: Cookie name contains whitespace or non-alphanumeric char: in S > et-Cookie: mycookie-id > at javax.servlet.http.Cookie.setName(Cookie.java:87) > at javax.servlet.http.Cookie.<init>(Cookie.java:25) > at winstone.WinstoneRequest.parseCookieLine(WinstoneRequest.java:662) > at winstone.WinstoneRequest.parseHeaders(WinstoneRequest.java:617) > at winstone.HttpListener.parseHeaders(HttpListener.java:386) > at winstone.HttpListener.parseURI(HttpListener.java:249) > at winstone.RequestHandlerThread.run(RequestHandlerThread.java:87) > at java.lang.Thread.run(Unknown Source) > > Then I deleted cookies for localhost, the webapp started working. > So what happened could be that I ran another server on localhost:8080 > before and browser got some cookies stored from then. > > My question is, should the invalid cookies break the webservice > like they are now, or should they just be ignored, because you > can never prevent browsers to send invalid cookies? I think the > latter makes the servlet container more robust. > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Winstone-devel mailing list > Win...@li... > https://lists.sourceforge.net/lists/listinfo/winstone-devel > |