Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-2119

Authentication fails with current tomcat versions




      In Tomcat version 6.0.14 and 5.5.26 the handling of cookies was changed, to fix some security issues.

      This leads now to the effect, that the login fails because Xwiki detects tampered cookies.

      Xwiki logs "WARN xwiki.MyPersistentLoginManager - Login cookie validation hash mismatch! Cookies have been tampered with
      " and login fails without any error message.

      Detailed description of the changes is discussed in this thread:


      I have just copied the relevant part of this thread, here ist is explained, that in the new tomcat version, the cookie handling was changed to make it compliant to the specs.

      Xwiki has now to be changed to use Cookie Version 1 instead of the default 0.

      Just add the following line


      <<<<<<<<<<<<<<<<<This is the relevant snippet out of the thread mentioned above <<<<<<
      The changes are documented in the change log. As a result of
      a couple of minor security issues (see
      http://tomcat.apache.org/security-6.html) the cookie handling code has been
      tightened up to make it spec compliant.

      By default the servlet spec uses version 0 cookies. The name value pairs
      are defined as:
      This string is a sequence of characters excluding semi-colon, comma and
      white space. If there is a need to place such data in the name or value,
      some encoding method such as URL style %XX encoding is recommended, though
      no encoding is defined or required.

      The difficulty here is that although '=' is the delimiter between NAME and
      VALUE there is no need to encode it if it appears in the name or the value.
      This causes some ambiguities when parsing a header of the form:
      Set-Cookie: foo=bar=bartoo

      Is the name 'foo' or 'foo=bar'? Is the value 'bar=bartoo' or 'bartoo'?

      The changes to the cookie parsing mean the second '=' and any text beyond
      it are now ignored.

      If you set the cookie version to 1 then the quoting will be applied where
      necessary and your example will work as you intend.




            sdumitriu Sergiu Dumitriu
            rdotzert Ralf Dotzert
            0 Vote for this issue
            0 Start watching this issue