Space Character not Allowed in Cookie Value

This section provides a tutorial example showing that space character ' ' is not allowed in cookie value strings.

While testing cookies, I noticed an error with Tomcat 9. It relates to the space character " " used in cookie values.

Here is example JSP page that add a cookie with a value of "Herong Yang":

<?xml version="1.0"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.1">
<!--
 - CookieValueError.jspx
 - Copyright (c) 2003-2018, HerongYang.com, All Rights Reserved.
-->
<jsp:directive.page contentType="text/html"/>
<html><body>
<p>
<jsp:directive.page import="javax.servlet.http.Cookie"/>
<jsp:scriptlet><![CDATA[
   out.println("<b>Cookie with an invalid value:</b><br/>");
   Cookie  c = new Cookie("User","Herong Yang");
   c.setMaxAge(3*24*60*60);
   response.addCookie(c);
   out.println("Name: "+c.getName()+"<br/>");
   out.println("Value: "+c.getValue()+"<br/>");
   out.println("Domain: "+c.getDomain()+"<br/>");
   out.println("Path: "+c.getPath()+"<br/>");
   out.println("MaxAge: "+c.getMaxAge()+"<br/>");
   out.println("Version: "+c.getVersion()+"<br/>");
]]></jsp:scriptlet>
</p>
</body></html>
</jsp:root>

Visit this page with a Web browser on Tomcat 9, you will get this error:

HTTP Status 500 – Internal Server Error
Type Exception Report

Message An exception occurred processing [/CookieValueError.jspx] 
 at line [26]

Description The server encountered an unexpected condition that prevented 
 it from fulfilling the request.

Exception

org.apache.jasper.JasperException: An exception occurred processing 
 [/CookieValueError.jspx] at line [26]

Unable to display JSP extract. Probably due to an XML parser bug (see 
 Tomcat bug 48498 for details).

Stacktrace:
 org.apache.jasper.servlet.JspServletWrapper.handleJspException
  (JspServletWrapper.java:607)
 org.apache.jasper.servlet.JspServletWrapper.service
  (JspServletWrapper.java:496)
 org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
 org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
 javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
 org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)

Root Cause
java.lang.IllegalArgumentException: An invalid character [32] was present 
 in the Cookie value
 org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateCookieValue...
 org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6...
 org.apache.catalina.connector.Response.generateCookieString(Response....)
 ...
 javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
 org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
Note The full stack trace of the root cause is available in the server logs.

Apache Tomcat/9.0.12

By reading the error message, it seems that the new Cookie standard RRC 6265 removed space character (together with comma and semi-colon) as allowed value characters.

The above JSP page was working fine with Tomcat 7, which uses an older cookie standard.

Last update: 2018.

Table of Contents

 About This Book

 JSP (JavaServer Pages) Overview

 Tomcat Installation on Windows Systems

 JSP Scripting Elements

 Java Servlet Introduction

 JSP Implicit Objects

 Syntax of JSP Pages and JSP Documents

 JSP Application Session

Managing Cookies in JSP Pages

 What Is a Cookie

 Sending and Receiving Cookies in JSP Pages

 Persistent Cookies Stored on Hard Disk

 Persistent Cookie Test Example

Space Character not Allowed in Cookie Value

 Dumping HTTP Response with Cookies

 JavaBean Objects and "useBean" Action Elements

 Managing HTTP Response Header Lines

 Non-ASCII Characters Support in JSP Pages

 Performance of JSP Pages

 EL (Expression Language)

 Overview of JSTL (JSP Standard Tag Libraries)

 JSTL Core Library

 JSP Custom Tags

 JSP Java Tag Interface

 Custom Tag Attributes

 Multiple Tags Working Together

 File Upload Test Application

 Outdated Tutorials

 References

 Full Version in PDF/EPUB