Issue with CookieBasedUserManager

fmeschbe

unread,

Jun 17, 2010, 2:49:07 AM6/17/10

to dyuproject

Hi all,

First off, thanks for providing this easy to use Relying Party
implementation.

There is one thing, though: I stumbled upon an issue with the
CookieBasedUserManager, and wanted to ask whether this is already a
know issue or not...

The problem is, that the cookie value produced by the
CookieBasedUserManager may (and mostly will) contain equals (=)
characters. This causes some servlet containers to fail parsing the
cookie value when presented by the client browser. The reason is that
the equals character is not a valid character for a "token" as per the
HTTP spec (RFC 2616).

The fix here is to quote the cookie value before creating the cookie
instance, like

Cookie cookie = new Cookie(_cookieName, "\" + value "\"");

on line 285 in the CookieBasedUserManager.

Thanks and Regards
Felix

David Yu

unread,

Jun 17, 2010, 4:37:08 AM6/17/10

to dyupr...@googlegroups.com

When jetty writes the cookie, it automatically quotes the value. I think this might be in the servlet spec (not sure).
What servlet container did you use when it wrote the cookie without the quotes?

Thanks and Regards
Felix

--
You received this message because you are subscribed to the Google Groups "dyuproject" group.
To post to this group, send email to dyupr...@googlegroups.com.
To unsubscribe from this group, send email to dyuproject+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dyuproject?hl=en.

--
When the cat is away, the mouse is alone.
- David Yu

David Yu

unread,

Jun 17, 2010, 4:59:50 AM6/17/10

to dyupr...@googlegroups.com

On Thu, Jun 17, 2010 at 4:37 PM, David Yu <david....@gmail.com> wrote:

On Thu, Jun 17, 2010 at 2:49 PM, fmeschbe <fmes...@gmail.com> wrote:
Hi all,

First off, thanks for providing this easy to use Relying Party
implementation.

There is one thing, though: I stumbled upon an issue with the
CookieBasedUserManager, and wanted to ask whether this is already a
know issue or not...

The problem is, that the cookie value produced by the
CookieBasedUserManager may (and mostly will) contain equals (=)
characters. This causes some servlet containers to fail parsing the
cookie value when presented by the client browser. The reason is that
the equals character is not a valid character for a "token" as per the
HTTP spec (RFC 2616).

The fix here is to quote the cookie value before creating the cookie
instance, like

Cookie cookie = new Cookie(_cookieName, "\" + value "\"");

on line 285 in the CookieBasedUserManager.

When jetty writes the cookie, it automatically quotes the value. I think this might be in the servlet spec (not sure).
What servlet container did you use when it wrote the cookie without the quotes?

Hmm, it might be firebug thats automatically quoting the cookie value (for display purposes). It certainly did not quote the '0' cookie value upon CookieBasedUserManager.invalidate

I added the fix anyway. Thanks!

Thanks and Regards
Felix

--
You received this message because you are subscribed to the Google Groups "dyuproject" group.
To post to this group, send email to dyupr...@googlegroups.com.
To unsubscribe from this group, send email to dyuproject+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dyuproject?hl=en.

--
When the cat is away, the mouse is alone.
- David Yu

Felix Meschberger

unread,

Jun 17, 2010, 6:42:37 AM6/17/10

to dyupr...@googlegroups.com

Hi,

Thanks alot for the quick turnaround.

I did use a proprietary container, which does not quote the values. In
the servlet spec I find nothing around quoting of cookie values.

My tests on Jetty were successful, though. But it looks like Jetty
quotes the Cookie value before sending while my servlet container
doesn't....

>
>
> Hmm, it might be firebug thats automatically quoting the cookie value
> (for display purposes). It certainly did not quote the '0' cookie value
> upon CookieBasedUserManager.invalidate
>
> I added the fix anyway. Thanks!

Thanks. But I just see, that the fix seems to break things on Jetty :-(

What I found to be working in both containers is setting the cookie
version to 1.

Regards
Felix

>
>
> Thanks and Regards
> Felix
>
> --
> You received this message because you are subscribed to the
> Google Groups "dyuproject" group.
> To post to this group, send email to dyupr...@googlegroups.com

> <mailto:dyupr...@googlegroups.com>.

> To unsubscribe from this group, send email to
> dyuproject+...@googlegroups.com

> <mailto:dyuproject%2Bunsu...@googlegroups.com>.

David Yu

unread,

Jun 17, 2010, 6:57:05 AM6/17/10

to dyupr...@googlegroups.com

It doesn't break things on jetty at all. The cookie parse methods need to be updated as well to exclude the quote.
See http://code.google.com/p/dyuproject/source/diff?spec=svn1112&r=1112&format=side&path=/branches/dyuproject-1.1/modules/openid/src/main/java/com/dyuproject/openid/manager/CookieBasedUserManager.java

Reply all

Reply to author

Forward