jetty&tomcat如何对待bad cookie分析
结论:
对于bad cookie(javax.servlet.http.Cookie构造函数抛IllegalArgumentException异常), jetty捕获异常后warn级别输出异常信息,而tomcat捕获异常后不做任何处理,所以在jetty的日志中能看到异常而tomcat没有异常。不影响应用的正常运行。
起因:jetty应用测试中发现日志中
2010-10-26 15:58:09.589:WARN::java.lang.IllegalArgumentException: Cookie name "26-Oct-2011 07:39:08 GMT" is a reserved token
类似的错误
排查发现这段异常从javax.servlet.http.Cookie的构造函数中抛出,
jetty中调用cookie构造函数的点为org.eclipse.jetty.server.Request.getCookies(),最后调用org.eclipse.jetty.server.CookieCutter.parseFields()
而tomcat中调用点org.apache.catalina.connector.Request.parseCookies()
?
备注:1. 根据 RFC 2109标准
The name must conform to RFC 2109. That means it can contain only ASCII alphanumeric characters and cannot contain commas, semicolons, or white space or begin with a $ character. The cookie's name cannot be changed after creation.
The value can be anything the server chooses to send. Its value is probably of interest only to the server. The cookie's value can be changed after creation with the setValue method.
By default, cookies are created according to the Netscape cookie specification. The version can be changed with thesetVersion method.
bad cookie:cookie name不能是保留字,不能含空格,不能以$开头,否则cookie被视为bad cookie。
