Disclaimer: I’m not a Java guy, but ended up having to maintain some Java code.
I was recently trying to debug why a Java server was returning status code 500 on certain requests. I narrowed it down to some code that essentially did:
httpServletResponse.addHeader("Set-Cookie", "FOO=BAR; domain=localhost")
If if replaced domain=localhost with the domain from the URL, it worked. If I just removed that line of code, it also worked.
I found this rather surprising. I’d expect the browser to ignore such a cookie line, or at the least not have the whole server blow up. Searching around, I couldn’t find any documentation about any such constraints. Is this expected/documented behavior somewhere?
After enough digging and logging, I eventually tracked this down to the specific servlet server implementation I’m using, which really doesn’t like domain=localhost.
What I was really after was some specification that said something like, “Set-cookie with a bad domain value should result in a 500 server error”, or otherwise directly addressed the problem of “what servlets should do if a bad cookie domain is given in Set-Cookie.”