EAP 7 (Undertow) does not accept comma (,) as Cookie delimiter

Environment

• Red Hat JBoss Enterprise Application Platform (EAP)
  • 7.x
  • 8.x

Issue

• EAP 7 (Undertow) does not accept comma (,) as Cookie delimiter.

• When the following request Cookie header is sent from client:

  Cookie: FOO=BAR, JSESSIONID=<jsessionid-value>
  

  EAP 6 handles this Cookie header as two cookies, "FOO=BAR" and "JSESSIONID=<jsessionid-value>". But EAP 7 does not handle comma as Cookie separator, so this Cookie header is treated as one cookie "FOO=BAR, JSESSIONID". (If allow-equals-in-cookie-value="false" is set in listener inside undertow subsystem, EAP 7 treats this as one cookie "FOO=BAR, JSESSIONID=<jsessionid-value>".)

  Web browsers generally do not sent such Cookie header having comma (,) as Cookie delimiter. (Basically semicollon (;) is used by browsers.) However, it's a valid separator in the old Cookie spec RFC2109. And such Cookie header is sent when commons-httpclient 3.x run as a client and Apache httpd is placed as a front-end loadbalancer, as reported in this knowledge article.

Resolution

In EAP 7.1.1 or later, comma (,) can be treated as a cookie separator by setting the system property io.undertow.legacy.cookie.COMMA_IS_SEPARATOR to true.

For example, add the following to $JBOSS_HOME/bin/standalone.conf:

JAVA_OPTS="$JAVA_OPTS -Dio.undertow.legacy.cookie.COMMA_IS_SEPARATOR=true"

Or configure the system property in configuration files (standalone.xml or domain.xml/host.xml). Please refer to How to add/remove/update system properties in EAP 6.x/7.x for details.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.