Starting with patch 9.4.3, Jetty will be fully compliant with RFC6265, which presents changes to cookies which may have significant impact for some users.
Up until now Jetty has supported Version=1 cookies defined in RFC2109 (and continued in RFC2965) which allows for special/reserved characters (control, separator, et al) to be enclosed within double quotes when declared in a Set-Cookie response header:

Set-Cookie: foo="bar;baz";Version=1;Path="/secur"

Which was added to the HTTP Response headers using the following calls.

Cookie cookie = new Cookie("foo", "bar;baz");

This allowed for normally non-permitted characters (such as the ; separator found in the example above) to be used as part of a cookie value. With the introduction of RFC6265 (replacing the now obsolete RFC2965 and RFC2109) , this use of Double Quotes to enclose special characters is no longer possible.
This change was made as a reaction to the strict RFC6265 validation rules present in Chrome/Chromium.
As such, users are now required to encode their cookie values to use these characters.
Utilizing javax.servlet.http.Cookie, this can be done as:

Cookie cookie = new Cookie("foo", URLEncoder.encode("bar;baz", "utf-8"));

Starting with Jetty 9.4.3, we will now validate all cookie names and values when being added to the HttpServletResponse via the addCookie(Cookie) method.  If there is something amiss, Jetty will throw an IllegalArgumentException with the details.
Of note, this new addCookie(Cookie) validation will be applied via the ServerConnector, and will work on HTTP/1.0, HTTP/1.1, and HTTP/2.0
Additionally, Jetty has added a CookieCompliance property to the HttpConfiguration object which can be utilized to define which cookie policy the ServerConnectors will adhere to. By default, this will be set to RFC6265.
In the standard Jetty Distribution, this can be found in the server’s jetty.xml as:

<Set name="cookieCompliance">
  <Call class="org.eclipse.jetty.http.CookieCompliance" name="valueOf">
    <Arg><Property name="jetty.httpConfig.cookieCompliance" default="RFC6265"/></Arg>

Or if you are utilizing the module system in the Jetty distribution, you can set the jetty.httpConfig.cookieCompliance property in the appropriate start INI for your${jetty.base} (such as ${jetty.base}/start.ini or ${jetty.base}/start.d/server.ini):

## Cookie compliance mode of: RFC6265
# jetty.httpConfig.cookieCompliance=RFC6265

Or, for older Version=1 Cookies, use:

## Cookie compliance mode of: RFC2965
# jetty.httpConfig.cookieCompliance=RFC2965



Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *