Airlock Gateway implements a cookie store. Cookies are not exposed to the client by default. This prevents various attacks on cookies and enables secure cookie exchange between back-ends. Airlock Gateway further supports passing cookies directly to the client, either in cleartext or encrypted. These features require parsing all cookies in HTTP requests as well as in HTTP responses.
Currently, the parser behavior can be configured as legacy parsing TRUE
or FALSE
. The legacy, as well as the new parsing (that follows RFC 6265), can break certain applications which do not respect the newest RFCs. This article provides technical information about the changes in parsing.
Cookie parsing is described in three different RFCs. The following table lists some statements from these RFCs:
RFC and year | What it states |
---|---|
RFC 2109 from 1997 | Allows multiple cookies within the same Set-Cookie header. Servers should accept comma and semicolon-separated cookies. This is the Airlock Gateway default behavior before version 7.4. |
RFC 2965 from 2000 | Added a new definition of cookies ( |
RFC 6265 from 2011 | Forbids multiple cookie values within the same |
The new implementation of Airlock Gateway follows the newest RFC 6265 which is also implemented by all modern browsers and most modern web application servers.