The Cookie Processor Component

Table of Contents

Introduction

The CookieProcessor element represents the component that parses received cookie headers into jakarta.servlet.http.Cookie objects accessible through HttpServletRequest.getCookies() and converts jakarta.servlet.http.Cookie objects added to the response through HttpServletResponse.addCookie() to the HTTP headers returned to the client.

A CookieProcessor element MAY be nested inside a Context component. If it is not included, a default implementation will be created automatically.

Attributes

Common Attributes

All implementations of CookieProcessor support the following attributes:

Attribute Description
className

Java class name of the implementation to use. This class must implement the org.apache.tomcat.util.http.CookieProcessor interface. If not specified, the standard value (defined below) will be used.

Standard Implementation

The standard implementation of CookieProcessor is org.apache.tomcat.util.http.Rfc6265CookieProcessor.

This cookie processor is based on RFC6265 with the following changes to support better interoperability:

  • Values 0x80 to 0xFF are permitted in cookie-octet to support the use of UTF-8 in cookie values as used by HTML 5.
  • For cookies without a value, the '=' is not required after the name as some browsers do not sent it.

The RFC 6265 cookie processor is generally more lenient than the legacy cookie parser. In particular:

  • The '=' and '/' characters are always permitted in a cookie value.
  • Name only cookies are always permitted.
  • The cookie header is always preserved.

The RFC 6265 Cookie Processor supports the following additional attributes.

Attribute Description
cookiesWithoutEquals

Determines how a cookie received from a user agent should be interpreted when the name value pair does not contain an equals sign. The default value is ignore which means the cookie will be ignored. The other option is name which means that the cookie will be treated as a cookie with a name but no value. In Tomcat 11 and earlier the default was name.

partitioned

Should the Partitioned flag be set on cookies? Defaults to false.

Note: The name of the attribute used to indicate a partitioned cookie as part of CHIPS is not defined by an RFC and may change in a non-backwards compatible way once equivalent functionality is included in an RFC.

sameSiteCookies

Enables setting same-site cookie attribute.

If value is unset then the same-site cookie attribute won't be set. This is the default value.

If value is none then the same-site cookie attribute will be set and the cookie will always be sent in cross-site requests.

If value is lax then the browser only sends the cookie in same-site requests and cross-site top level GET requests.

If value is strict then the browser prevents sending the cookie in any cross-site request.

Nested Components

No element may be nested inside a CookieProcessor.

Special Features

No special features are associated with a CookieProcessor element.