PQ56638: HTTP TRANSPORT NSAPI DOES NOT PARSE COOKIES WITH DOUBLE QUOTES

APAR status
Closed as program error.

Error description
iPlanet inserts escape characters when double quotes are
included in cookie names.  This applies only to iPlanet
HTTP Server and WAS4.0.
.
If the following cookies are created by a browser
.
<script>
document.cookie = 'TestCookie="Hello"; secure;';
document.cookie = 'TestCookie2="Goodbye"; secure;';
</script>
.
The HTTP Transport native.log file with tracing enabled shows
that the cb_get_headers function parses out the cookies as
follows
.
   Hello\ and Goodbye\  The error message
cb_get_header: Failed to parse and set headers exception is
thrown.
Local fix
No Workaround exists other than not to use quotes in cookie
headers.
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server version 4.0.0,  *
*                 4.0.1, or 4.0.2 users who use quotes in the  *
*                 values for Cookie headers with iPlanet       *
*                 webserver.                                   *
****************************************************************
* PROBLEM DESCRIPTION: iPlanet webserver would escape the      *
*                      quotes in the Cookie header but the     *
*                      plugin didn't parse the escape          *
*                      correctly.  As a result the header      *
*                      parsing would be invalid.               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When cookie values contained quotes, iPlanet webserver would
escape them in the string the plugin used to parse but the
plugin would not be expecting the quotes and parsing would
fail.
Problem conclusion
Modify the plugin so that if a quote is escaped it continues
to parse the cookie header until the real end of the header
is reached.
Temporary fix Comments
APAR information
APAR number PQ56638
Reported component name WEBSPHERE AE SO
Reported component ID 5630A2202
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-01-14
Closed date 2002-02-20
Last modified date 2002-11-01

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
PLUGIN          

Fix information
Fixed component name WEBSPHERE AE SO
Fixed component ID 5630A2202

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ56638
IBM Group: Software Group
Modified date: Nov 1, 2002