AEM Upgrade 6.4: Jetty, Cookies and RFC6265 Compliance

While upgrading AEM (< 6.4 Version) to AEM 6.4 version and in any use case if any servlet/component is setting a cookie with some text in Http Response than your API may fail & you may be encounter below exception in logs.

RFC6265 Cookie values may not contain character

What does this error message suggest?

Well, AEM 6.4 uses latest version of Jetty application as their servlet container. Jetty has changed their cookie policy. And policy suggests that you can’t have special chars or separator in the cookies without encoding them.

Up until now Jetty has supported Version=1 cookies defined in RFC2109 (and continued in RFC2965) which allows for special/reserved characters (control, separator, et al) to be enclosed within double quotes when declared in a Set-Cookie response header: See below example.

1Set-Cookie: foo=”bar;baz”;Version=1;Path=”/secur”

Which was added to the HTTP Response headers using the following calls.

Cookie cookie = new Cookie("foo", "bar;baz");

Solutions to fix Cookies problem?

Let’s see below simple code snippet. Just simply encode the cookie value & decode wherever you are using it.

Cookie cookie = new Cookie("foo", URLEncoder.encode("bar;baz", "utf-8"));

How to decode in Javascript & Java?

Follow below code snippet:

URLDecoder.decode(request.getCookie("foo").getValue(), "UTF-8");


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.