Description of problem: Use an out of the box EAP installation and run: (the cookie value contains a 'control' character) curl -i 'http://<my_server>/some-url' -H 'Cookie:=�' HTTP/1.1 200 OK Date: Wed, 14 Sep 2016 09:08:03 GMT Server: Apache-Coyote/1.1 Content-Length: 0 Connection: close Content-Type: text/plain The stack trace : 2016-09-05 18:37:15,659 ERROR [http-executor-threads - 24] (o.a.c.connector) JBWEB001018: An exception or error occurred in the container during the request processing: java.lang.IllegalArgumentException: JBWEB002039: Control character in cookie value or attribute at org.apache.tomcat.util.http.CookieSupport.isHttpSeparator(CookieSupport.java:188) [jbossweb.jar:7.3.1.Final-redhat-1] at org.apache.tomcat.util.http.Cookies.getTokenEndPosition(Cookies.java:454) [jbossweb.jar:7.3.1.Final-redhat-1] at org.apache.tomcat.util.http.Cookies.processCookieHeader(Cookies.java:277) [jbossweb.jar:7.3.1.Final-redhat-1] at org.apache.tomcat.util.http.Cookies.processCookies(Cookies.java:158) [jbossweb.jar:7.3.1.Final-redhat-1] at org.apache.tomcat.util.http.Cookies.getCookieCount(Cookies.java:96) [jbossweb.jar:7.3.1.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.parseSessionCookiesId(CoyoteAdapter.java:641) [jbossweb.jar:7.3.1.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:583) [jbossweb.jar:7.3.1.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:333) [jbossweb.jar:7.3.1.Final-redhat-1] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb.jar:7.3.1.Final-redhat-1] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb.jar:7.3.1.Final-redhat-1] at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:511) [jbossweb.jar:7.3.1.Final-redhat-1] at org.jboss.threads.SimpleDirectExecutor.execute(SimpleDirectExecutor.java:33) [jboss-threads.jar:2.1.1.Final-redhat-1] at org.jboss.threads.QueueExecutor.runTask(QueueExecutor.java:808) [jboss-threads.jar:2.1.1.Final-redhat-1] at org.jboss.threads.QueueExecutor.access$100(QueueExecutor.java:45) [jboss-threads.jar:2.1.1.Final-redhat-1] at org.jboss.threads.QueueExecutor$Worker.run(QueueExecutor.java:849) [jboss-threads.jar:2.1.1.Final-redhat-1] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85] at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads.jar:2.1.1.Final-redhat-1] This is itself is not the issue, as control characters (other then TAB) are illegal in cookies. However, the response to the browser sends and empty page and an http code: http 200 OK. This is clearly wrong. Two possible proposals: org/apache/tomcat/util/http/CookieSupport.java 185 public static final boolean isHttpSeparator(final char c) { 186 if (c < 0x20 || c >= 0x7f) { 187 if (c != 0x09) { 188 throw MESSAGES.invalidControlCharacter(); 189 } 190 } 191 192 return HTTP_SEPARATOR_FLAGS[c]; 193 } could be made to check STRICT_SERVLET_COMPLIANCE flag, and allow the control characters it this flag is false. (alternatively an extra/new flag could be introduced) However, whether the proposal above is implemented or not, the issue remains that if the MESSAGES.invalidControlCharacter(); exception is thrown, then the response should send a http 500 status!
I tested if a Valve could be used as a workaround, but the exception happens before the Valve is hit. Side note: EAP 7 handles a control character without an issue (undertow)
Note that the cookie value used above is \uFFEF
Verified with EAP 6.4.13.CP.CR1
Released with EAP 6.4.13 on Feb 02 2017.