3

I am running an web application on WildFly 8.1.0 and apparently my application is working absolutely fine. However, looking at the log files I noticed a strange exception. I've never seen that exception before.

I am using Apache 2.4 as reverse proxy. This reverse proxy is done with AJP port.

javax.servlet.ServletException: Cookie name "ctx:1420m06d05" is a reserved token

2014-07-07 11:10:57,512 ERROR [io.undertow.request] (default task-23) UT005023: Exception handling request to /app/emp/index.jspa: javax.servlet.ServletException: Cookie name "ctx:1420m06d05" is a reserved token
    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:659) [jboss-jsf-api_2.2_spec-2.2.6.jar:2.2.6]
    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_60]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_60]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_60]
Caused by: java.lang.IllegalArgumentException: Cookie name "ctx:1420m06d05" is a reserved token
    at javax.servlet.http.Cookie.<init>(Cookie.java:192) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
    at io.undertow.servlet.spec.HttpServletRequestImpl.getCookies(HttpServletRequestImpl.java:145) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at com.sun.faces.context.RequestCookieMap.get(RequestCookieMap.java:79) [jsf-impl-2.2.6-jbossorg-4.jar:]
    at java.util.Collections$UnmodifiableMap.get(Collections.java:1339) [rt.jar:1.7.0_60]
    at com.sun.faces.context.flash.ELFlash.getCookie(ELFlash.java:956) [jsf-impl-2.2.6-jbossorg-4.jar:]
    at com.sun.faces.context.flash.ELFlash.doPrePhaseActions(ELFlash.java:581) [jsf-impl-2.2.6-jbossorg-4.jar:]
    at com.sun.faces.lifecycle.Phase.handleBeforePhase(Phase.java:215) [jsf-impl-2.2.6-jbossorg-4.jar:]
    at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:99) [jsf-impl-2.2.6-jbossorg-4.jar:]
    at com.sun.faces.lifecycle.RestoreViewPhase.doPhase(RestoreViewPhase.java:121) [jsf-impl-2.2.6-jbossorg-4.jar:]
    at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198) [jsf-impl-2.2.6-jbossorg-4.jar:]
    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:646) [jboss-jsf-api_2.2_spec-2.2.6.jar:2.2.6]
    ... 28 more

For now, the users also didn't noticed the error, but I am worried. Is this exception related with WildFly or with my application? What should I do to correct this error?

humungs
  • 1,144
  • 4
  • 25
  • 44

1 Answers1

7

It's because the cookie name contains the colon symbol. There are some forbidden characters in the cookie name. I agree the exception might be confusing.

Here is the related rfc

Community
  • 1
  • 1
Jiri Kremser
  • 12,471
  • 7
  • 45
  • 72
  • Thanks. Just one more question. I didn't use any explicit cookie on my application. Maybe these cookies are set by some lib that I am using like primefaces, spring security, CXF... Is there a way that I can override theses cookies name? Or I need to wait some new version of my libs? – humungs Jul 15 '14 at 18:17
  • 3
    It's a hacker probe. Someone's trying to find servers exposing a security hole when using cookies with this specific prefix. – BalusC Sep 19 '14 at 08:13
  • This can also happen if you (incorrectly) use a comma in the cookie-name, causing your intended cookie-value to be interpreted as a cookie-name (which doesn't allow colons or any other "separators"). – Shannon Jun 01 '16 at 19:55