Geek Answers Handbook

A cookie header was received containing an invalid cookie.

I am moving my server from Tomcat-6 to Tomcat-9 . My site is designed for the HTTP / 1.1 protocol. The server.xml file contains the org.apache.coyote.http11.Http11NioProtocol connector protocol. The server starts normally without generating any errors. However, when I try to access my site using localhost, I get the following error: -

INFO [https-nio-8445-exec-3] org.apache.tomcat.util.http.parser.Cookie.logInvalidHeader Cookie header received [2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 21, 22, 23]; userId = 53136], which contains an invalid cookie. This cookie will be ignored. Note: Further occurrences of this error will be logged at the DEBUG level.

Can anyone tell me the reason for this error? What causes an invalid cookie? Can this error be avoided if I use a different connector?

+13
java cookies tomcat web networking
source share
2 answers

I found that the API deployed to tomcat is able to capture cookies when I send a cURL request, although there was a tomcat warning.

curl -XPOST -H "Content-Type: application/json" --cookie "userId=64ad960c-bb7e-48dd-8191-4f31539bc2c2,accessToken=64ad960c-bb7e-48dd-8191-4f31539bc2c2" -d '{"message":"play porcupine tree"}' http://localhost:9090/nlu/convo

But , to remove the warning, I had to update the cookie processor ( LegacyCookieProcessor ) in the tomcat configuration ( conf/context.xml )

Example,

 cat /usr/local/apache-tomcat-8.5.12/conf/context.xml <?xml version="1.0" encoding="UTF-8"?> <!-- The contents of this file will be loaded for each web application --> <Context> <WatchedResource>WEB-INF/web.xml</WatchedResource> <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource> <!-- <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" /> --> <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" /> </Context>

I thought that org.apache.tomcat.util.http.Rfc6265CookieProcessor would work, but not needed, LegacyCookieProcessor is required.

Link

https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html#Legacy_Cookie_Processor_-_org.apache.tomcat.util.http.LegacyCookieProcessor

https://tools.ietf.org/html/rfc6265

LegacyCookieProcessor implements a strict interpretation of cookie specifications. Due to various browser interaction issues, not all strict Behaviors are enabled by default and additional options are available to further weaken the behavior of this cookie processor, if necessary.

+4
source share

Fwiw: I somehow turned the Chrome browser into a really excited state, forcing it to send a malformed cookie with inappropriate quotes: "XSRF-TOKEN=93926112-aa12-440e-8e06-02b7fbce27d5;

Just clearing the cookies from the developer tools was not enough, but it seems that Clear storage from the sidebar of the Application tab did it.

0
source share

More articles:


All Articles