Error with cookie-value when adding a new Spring Session

Question

In my Spring Boot 1.4 based application I use Spring Session to store session data in the database with JDBC.

This works fine

Answer 1

Function cookie cannot encode properly the value with space also french signs and so on. I solve this problem with URLEncoder.encode(String arg0, Encoding version) here I used UTF-8. Here the method I created!

private static void setCookie( HttpServletResponse response, String nom, String valeur, int maxAge )throws IOException { 
    Cookie cookie = new Cookie( nom, URLEncoder.encode( valeur, "UTF-8" ) );
    cookie.setMaxAge( maxAge );
    response.addCookie( cookie );
}

Answer 2

This is due to Tomcat's cookie processing being changed to a RFC 6265 compliant implementation by default in 8.5, which does not allow space (character 32), among others.

As a workaround, you can configure Tomcat to use legacy cookie processor. To do this with Spring Boot, register an EmbeddedServletContainerCustomizer @Bean like this:

@Bean
public EmbeddedServletContainerCustomizer customizer() {
    return container -> {
        if (container instanceof TomcatEmbeddedServletContainerFactory) {
            TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
            tomcat.addContextCustomizers(context -> context.setCookieProcessor(new LegacyCookieProcessor()));
        }
    };
}

Also see spring-projects/spring-session#gh-605 to track the progress of fixing this in Spring Session.

Update:

The above described solution is valid for Spring Boot 1.x. Starting with Spring Boot 2.0, EmbeddedServletContainerCustomizer has been replaced with WebServerFactoryCustomizer as described in the Spring Boot 2.0 migration guide.

Also note that starting with Spring Session 2.0, session cookie is Base64 encoded by default which prevents the original problem from occurring.

Answer 3

CookieProcessor is a new configuration element, introduced in Tomcat 8.0.15. The CookieProcessor element allows different cookie parsing configuration in each web application, or globally in the default conf/context.xml file.

According to official docs at Apache Tomcat 8 Configuration Reference Version 8.0.47 :

The standard implementation of CookieProcessor is: org.apache.tomcat.util.http.LegacyCookieProcessor. Note that it is anticipated that this will change to org.apache.tomcat.util.http.Rfc6265CookieProcessor in a future Tomcat 8 release.

Later..

According to official docs at Apache Tomcat 8 Configuration Reference Version 8.5.23:

The standard implementation of CookieProcessor is org.apache.tomcat.util.http.Rfc6265CookieProcessor.

To resolve this issue: add this line in conf/context.xml at location %CATALINA_HOME% (i.e. C:\apache-tomcat-8.5.20\conf\context.xml in my case):

<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />

This is how it looks like after adding:

<?xml version="1.0" encoding="UTF-8"?>

<Context reloadable="true">
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
    <Transaction factory="bitronix.tm.BitronixUserTransactionObjectFactory"/>
    <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />    
</Context>

Answer 4

we can apply cookieValue.trim() or cookieValue.replace(" ", "") to remove whitespaces or "spcbefore

Answer 5

Don't use whitespaces in the content of the cookie. It is mentioning whitespace as the invalid character.