JDK-6790677 : java.net.HttpCookie.parse(String) should ignore unrecognized attributes, RFC2965
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 6u10
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2009-01-06
  • Updated: 2011-03-08
  • Resolved: 2011-03-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7 b48Fixed
Description
FULL PRODUCT VERSION :
I have confirmed this bug is present (via source inspection) in the latest JDK7 pre-release as of this date (jdk-7-ea-src-b42-jrl-19_dec_2008.jar) as well as the latest JDK6 release I could find (jdk-6u12-ea-bin-b03-linux-i586-22_dec_2008.bin).

ADDITIONAL OS VERSION INFORMATION :
This bug is architecture independent.

A DESCRIPTION OF THE PROBLEM :
As per section 3.1.1 of RFC2965, "The user agent MUST ignore attribute-value pairs whose attribute it does not recognize."  However, the parse method of java.net.HttpCookie throws an IllegalArgumentException with the message "Illegal cookie attribute", which makes it very difficult for Java applications to be conformant to this section of the spec.  In fact, when using the java.net.CookieManager class, this results in silently ignoring the cookie altogether.

I contend that it would be preferable to ignore only the unrecognized attribute value (possibly with some sort of signal to indicate to developers that it has been ignored).  This would avoid future bugs whenever a new cookie field gains wide-spread adoption by other browser vendors (such as the earlier HttpOnly bug).

I also suggest that parse errors for optional attributes should result in those attributes being ignored, rather than causing an IllegalArgumentException.  This would allow Java applications to be much more tolerant of what they are able to accept from non-conformant server applications.  (In the general principle of Postel's Law)

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
  To reproduce this bug, call java.net.HttpCookie.parse(String) with any string containing an unrecognized attribute value.  e.g. java.net.HttpCookie.parse("foo=bar; awesome")

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I was expecting the "awesome" attribute to be ignored (possibly with a warning or class property to query for ignored attributes).
ACTUAL -
An IllegalArgumentException with the message "Illegal cookie attribute" is generated.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.IllegalArgumentException: Illegal cookie attribute
	at java.net.HttpCookie.assignAttribute(HttpCookie.java:1019)
	at java.net.HttpCookie.parseInternal(HttpCookie.java:927)
	at java.net.HttpCookie.parse(HttpCookie.java:188)
	at TestCookieParser.main(TestCookieParser.java:6)

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.net.HttpCookie;

public class TestCookieParser {
	public static void main(String[] args) {
		try {
			HttpCookie.parse("foo=bar; awesome");
			System.out.println("Successfully parsed cookie");
		} catch (Exception ex) {
			System.err.println("Unable to parse cookie:");
			ex.printStackTrace();
		}
	}
}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
It is possible to repeatedly call HttpCookie.parse(String) on each attribute pair to determine which attribute pair is causing the exception.  Once this is determined, the offending pairs can be removed from the original cookie string and the remaining pairs can be parsed into a single cookie.
Comments
EVALUATION Yes, I had noted the issue while working on an other project and meant to file a bug for this. Quite easy to fix. Will do so as soon as possible.
15-01-2009