search

demba90 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Limit max size of entire cookies #153

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
Spec says:

      * at least 4096 bytes per cookie (as measured by the size of the
        characters that comprise the cookie non-terminal in the syntax
        description of the Set-Cookie header)
So it sounds to me that this is a limitation on the size of the *entire* cookie 
including all meta data *and* name. Thus, if we limit the size of the data to 
4096 and someone actually uses all 4096 bytes of space for their data we could 
be breaking spec with the rest of the headers. 

My gut here is that we should be calculating this as the cookie is built 
(container implementations may also already be doing this FWIW)

Original issue reported on code.google.com by manico.james@gmail.com on 28 Sep 2010 at 11:29

GoogleCodeExporter commented 8 years ago 
This should get fixed before 2.0GA

Original comment by manico.james@gmail.com on 2 Nov 2010 at 8:11

GoogleCodeExporter commented 8 years ago

Original comment by kevin.w.wall@gmail.com on 12 Feb 2011 at 8:40

GoogleCodeExporter commented 8 years ago

Original comment by manico.james@gmail.com on 29 May 2012 at 3:20