Tomcat 7 is ignoring cookies?

Question

I'm trying to upgrade from Tomcat 5.5 to Tomcat 7, and almost everything is working -- I just have some cookies that are getting through on Tomcat 5.5, but disappearing on Tomcat 7. That is, Firebug confirms that the cookies are being sent in both cases, but on Tomcat 5.5 they show up in a request.getCookies() call, and in Tomcat 7 they don't. Some cookies still show up (JSESSIONID, for example), but a couple are missing.

This is the same application running on the same server, port, etc, I just shutdown Tomcat 5.5, startup 7, and the cookies no longer get through.

If it's relevant, both Tomcat instances are behind an Apache proxy running on a different server. It doesn't seem like it should be relevant, though, since Apache is clearly able to pass the cookies to Tomcat 5.5.

My guess is it's a security feature of some sort, though I haven't been able to figure out what it would be. The missing cookies are for domain .domain.org, while the cookies that are getting through (like JSESSIONID) are for host subdomain.domain.org (bolded text is just an example, obviously).

I tried setting useHttpOnly to false and crossContext to true in the context, in case it had something to do with one of those, but it didn't help. Besides those two settings, are there any other new features in Tomcat 7 (or Tomcat 6, for that matter) that could lead to it leaving out cookies? And if so, is there a handy workaround?

EDIT: I forgot to mention that it probably doesn't have anything to do with the cookie path -- the cookies that don't work have a path of "/", and the cookies that do work have variously "/", "/application", and "/application/".

Answer 1

I might be late to a party, but I had a similar problem that required a much different solution.

The problem was in login data stored in cookies and then having the keys hard-coded in a file to confirm who is who. Due to WAR packaging, the paths got lost in a transfer, and the only thing I had to do was to correct the paths to right JSON files on a server.

Therefore, the issue was not in Tomcat but in a way the things got transferred and calls to those things.

Spent half of a day to locate the issue (I thought that there was some setting to be done in Tomcat), but then it was very simple once I realized that paths to a JSON were off.

Answer 2

I figured it out! The problem was colons in the cookie names. Apparently the HTTP specification doesn't allow colons that aren't quoted. Tomcat started enforcing this in 5.5.26 -- coincidentally, I had been using 5.5.25.

It doesn't solve my problem -- these cookies are set by third-party software -- but it does answer the question!

If you have colons in your cookie names, either they need to be quoted (like so ":") or you need to use Tomcat 5.5.25 or older. I may try to configure my Apache proxy to modify the cookies on their way through... if that works, I'll update this answer.

There is some more detail about this in the comments on this bug report.