[Esapi-user] Bug in HttpUtilities for cookie MaxAge with Internet Explorer
Olivier Jaquemet
olivier.jaquemet at jalios.com
Tue Nov 8 06:31:58 EST 2011
Hi again ! :)
I think I found another bug with DefaultHttpUtilities implementation
regarding cookie max-age :
When max-age has been specified, Cookies created by HttpUtilities are
not compatible with Internet Explorer as the "Max-Age" option is not
supported by this $£!%! browser, which only understand the "Expires"
option of the original netscape specification.
Common J2EE AppServer implementations usually set both Max-Age and
Expires option to workaround this limitation.
Source regarding IE incompatibility with max-age :
http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx
http://mrcoles.com/blog/cookies-max-age-vs-expires/
Source regarding some AppServer implementation :
https://issues.apache.org/bugzilla/show_bug.cgi?id=46403
The tomcat bug report mentions a original security reason behind this
change (some date parsing related problem).
Therefore this behavior may not be a bug and was implemented voluntarly
in ESAPI. If so where is it documented ?
Otherwise, should I fill a bug report ?
Olivier
More information about the Esapi-user
mailing list