@Brad_Wood did raise some questions here [LDEV-3979] - Lucee about decisions we make when it comes to Lucee development. I hope the following helps to clarify things and maybe is the start of a helpful discussion.
his comment was
Yes, this ticket is good to go as far as working. X seems AWOL, but it’s working so far as I can tell.
That said, I think it’s perfectly fair to question why Lucee is doing what it’s doing.
The entire reason we’re having this conversation is because the outcome wasn’t correct and it seems we created problems for ourselves by not just using the servlet’s cookies.
The old, “Just trust us, we did this for a reason but we didn’t document why and we don’t need to explain it to you” doesn’t sit very well with me.
When we the Lucee Team are working on the Lucee core we have to made decisions all the time, for example I worked today mainly at the new S3 extensions 2.0 and i had to made some decisions in how to do things.
Some decisions i do make by myself and some i do escalate, it always helps to get more opinion and additional eyes on stuff, but that of course takes also time. I did discuss a lot of it with @Zackster, he did help to shape my decisions on this, but i did not escalate any of this decisions to the community, because non would affect them in any way.
Normally we only escalate the decision process to the community, when it also affects the community. For example when we change the interface of a tag or a function, add a new feature, anything that affects the community, but as long it does not affect the community we do not communicate it most of the time. I’m lucky to have a lot of smart people around me that i can ask for any specific topic.
Sure sometime it happens that a change like that leads to a regression, what then affects the community, but you never know it advance.
In that specific example, we saw that if a cookie is set with help of the header tag not following a 100% the pattern for cookies (having a space in the value), Tomcat still could handle it, but Undertow could not (or the other way around). So we decided to parse the cookies ourself, that way we always get the same result, independent of the servlet engines we are using and Lucee is more flexible on inputs. The pattern for cookies actually is very simple. The same way BTW we read the form and URL scope ourself (including multipart), we decided a long time ago no longer to use what is coming from JSP (Yes Lucee is “based” on JSP) for this scopes.
Problem was our solution did only read one “Cookie” header and ignored, when there is more that one. Even the specification only allows one, reality looks different. So because of that the community was affected, but that is the reason we are doing Snapshots and Release candidates so we catch things like this.
I hope this helps to understand how we come to decisions and that our goal is to include the community as much as possible.
If you disagree with me please do, loudly!