[Esapi-user] Bug in HttpUtilities for cookie MaxAge with Internet Explorer
olivier.jaquemet at jalios.com
Tue Nov 8 06:31:58 EST 2011
Hi again ! :)
I think I found another bug with DefaultHttpUtilities implementation
regarding cookie max-age :
When max-age has been specified, Cookies created by HttpUtilities are
not compatible with Internet Explorer as the "Max-Age" option is not
supported by this $£!%! browser, which only understand the "Expires"
option of the original netscape specification.
Common J2EE AppServer implementations usually set both Max-Age and
Expires option to workaround this limitation.
Source regarding IE incompatibility with max-age :
Source regarding some AppServer implementation :
The tomcat bug report mentions a original security reason behind this
change (some date parsing related problem).
Therefore this behavior may not be a bug and was implemented voluntarly
in ESAPI. If so where is it documented ?
Otherwise, should I fill a bug report ?
More information about the Esapi-user