A cookie header was received that contained an invalid cookie.

Question

I am migrating my Server from Tomcat-6 to Tomcat-9. My website is designed for the protocol of HTTP/1.1 . The server.xml file

Answer 1

Fwiw: I somehow got my Chrome browser into a really b0rken state, getting it to send a malformed cookie with mismatched quotes: "XSRF-TOKEN=93926112-aa12-440e-8e06-02b7fbce27d5;

Just clearing the cookie from the developer tools wasn't sufficient, but Clear storage from the sidebar of the Application tab seems to have done it.

Answer 2

I found the API deployed on tomcat able to grab the cookies when I send a cURL request, though there was tomcat warning.

curl -XPOST -H "Content-Type: application/json"  --cookie "userId=64ad960c-bb7e-48dd-8191-4f31539bc2c2,accessToken=64ad960c-bb7e-48dd-8191-4f31539bc2c2" -d '{"message":"play porcupine tree"}' http://localhost:9090/nlu/convo

But to remove the warning, had to update cookie processor (LegacyCookieProcessor) in the tomcat config (conf/context.xml)

Example,

cat /usr/local/apache-tomcat-8.5.12/conf/context.xml 
<?xml version="1.0" encoding="UTF-8"?>
<!-- The contents of this file will be loaded for each web application -->
<Context>

    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

    <!--
    <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" />
    -->

    <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />

</Context>

I thought org.apache.tomcat.util.http.Rfc6265CookieProcessor would work but did not, LegacyCookieProcessor is required.

Reference

https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html#Legacy_Cookie_Processor_-_org.apache.tomcat.util.http.LegacyCookieProcessor

https://tools.ietf.org/html/rfc6265

LegacyCookieProcessor implements a strict interpretation of the cookie specifications. Due to various interoperability issues with browsers not all strict behaviours are enabled by default and additional options are available to further relax the behaviour of this cookie processor if required.

Answer 3

i was getting this issue with spring boot of version above 2.2.x

it got fixed after adding below bean

public WebServerFactoryCustomizer<TomcatServletWebServerFactory> cookieProcessorCustomizer() {
    return tomcatServletWebServerFactory -> tomcatServletWebServerFactory.addContextCustomizers((TomcatContextCustomizer) context -> {
      context.setCookieProcessor(new LegacyCookieProcessor());
    });
  }