Search code examples
javatomcatcookiestomcat9

Can't Remove cookie from response using LegacyCookieProcessor and redirect to same originating URL

I have to remove Cookies from the Response and redirect back to the same requesting URL. I recently upgraded to tomcat 9 and started using LegacyCookieProcessor to avoid invalid domain error. But for some reason i am unable to remove the cookie and redirect to same URL with subsequent call having no cookie in the request.

below is the code i am using to remove the cookie:

public static void removeCookie(String name, HttpServletRequest req, HttpServletResponse res) {
    boolean isSecure = req.isSecure();
    String domain = getDomain(req);
    String path = "/";
    String cookieName = getTicketCookiePrefix() + name;
    addCookie(req, res, cookieName, "", 0, path, domain, isSecure);
    Cookie[] cookies = req.getCookies();
    if (cookies != null) {
        Cookie[] var8 = cookies;
        int var9 = cookies.length;

        for(int var10 = 0; var10 < var9; ++var10) {
            Cookie cookie = var8[var10];
            if (cookie.getName().equals(cookieName)) {
                cookie.setValue("");
            }
        }
    }

}
public static void addCookie(HttpServletRequest request, HttpServletResponse response, String name, String value, int cookielife, String path, String domain, boolean secure) {
    Cookie ck = createCookie(name, encodeCookieValue(value));
    if (path != null) {
        ck.setPath(path);
    }

    if (domain != null) {
        ck.setDomain(domain);
    }

    ck.setMaxAge(cookielife);
    ck.setSecure(secure);
    response.addCookie(ck);
}

Please Let me know we need to do anything differently with legacy cookie processor to remove cookie.

Solution

  • Problem Statement: User-agent (IE) is unable to process (remove) cookie using 'Set-Cookie' header

    Relevant diff between Tomcat 8 & 9:

    Tomcat 8

    • LegacyCookieProcessor is default cookie processor
    • there is significance of Tomcat VM param FWD_SLASH_IS_SEPARATOR
    • strict compliance with RFC2109

    Tomcat 9

    • Rfc6265CookieProcessor is default cookie processor
    • there is no significance of tomcat VM param FWD_SLASH_IS_SEPARATOR

    Relevant diff between cookie processors: The legacy cookie parsing algorithm supported only limited global configuration via several system properties. Those system properties are still supported, but are going to be deprecated in favor of this new configuration element. ref: tomcat-8.0, tomcat-8.5

    LegacyCookieProcessor

    • implements a strict interpretation of the cookie specifications if
    • STRICT_SERVLET_COMPLIANCE is true, RFC2109 is enforced

    Rfc6265CookieProcessor

    • interoperable, but does not allow domain stating with dot (.)

    Combination used: Tomcat9 + LegacyCookieProcessor

    • If STRICT_SERVLET_COMPLIANCE is set to true, then implicit value of FWD_SLASH_IS_SEPARATOR is also set to true
    • And '/' (forward slash) character will be treated as a separator
    • "some browsers will fail to process a cookie if the path attribute is quoted as is required by a strict adherence to the specifications"
    • usually we run Tomcat with the following: org.apache.catalina. STRICT_SERVLET_COMPLIANCE=true, org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false
    • Hence, in order to change this behaviour, make use of forwardSlashIsSeparator attribute in LegacyCookieProcessor, instead of FWD_SLASH_IS_SEPARATOR in Tomcat 9

    Solution: Replace VM param FWD_SLASH_IS_SEPARATOR with LegacyCookieProcessor.forwardSlashIsSeparator attribute under context.xml/CookieProcessor

    <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" forwardSlashIsSeparator="false"/>

    Ref: RFC2109 - https://www.ietf.org/rfc/rfc2109.txt RFC6265 - https://www.ietf.org/rfc/rfc6265.txt