Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Definite guide to valid Cookie values

Tags:

java

http

I know there are other questions but they seem to have answers which are assumptions rather than being definitive.

My limited understanding is that cookie values are:

  • semi-colons are already used to separate cookies attributes within a single cookie.
  • equals signs are used to separate cookie names and values
  • colons are used to separate multiple cookies within a header.

Are there any other "special" characters ?

Some other q/a suggest that one base64 encodes the value but this does of course may include equals signs which of course are not valid.

i have also seen some suggestions that values may be quoted this however leads to other questions.

  • do the special characters need to be quoted ?
  • do quoted values support the usual backslash escaping mechanisms.

RFC I read a few RFCs including some of the many cookie RFCS but i am still unsure as there is cross reference to another RFC etc with no definitive simple explaination or sample that "answers" my query.

Hopefully no one will say read the RFC because the question becomes which RFC...?

I think i have also read that different browsers have slightly different rules so hopefully please note this in your answers if this matters.

like image 504
mP. Avatar asked May 24 '11 09:05

mP.

1 Answers

The latest RFC is 6265, and it states that previous Cookie RFCs are obsoleted.

Here's what the syntax rules in the RFC say:

 cookie-pair       = cookie-name "=" cookie-value
 cookie-name       = token
 cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
 cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash

Thus:

  • The special characters are white-space characters, double quote, comma, semicolon and backslash. Equals is not a special character.

  • The special characters cannot be used at all, with the exception that double quotes may surround the value.

  • Special characters cannot be quoted.

  • Backslash does not act as an escape.

It follows that base-64 encoding can be used, because equals is not special.

Finally, from what I can tell, the RFC 6265 cookie values are defined so that they will work with any browser that implements any of the Cookie RFCs. However, if you tried to use cookie values that don't conform to RFC 6265 (but do arguably do conform to earlier RFCs), you may find that cookie behavior varies with different browsers.

In short, conform to the letter of RFC 6265 and you should be fine.

If you need pass cookie values that include any of the forbidden characters, your application needs to do its own encoding and decoding of the values; e.g. using base64.

like image 94
Stephen C Avatar answered Oct 27 '22 04:10

Stephen C
Sign in to Comment

Related questions

DAO methods and synchronized
Session Lost when closing the browser
Understanding Java bytes
Execute my groovy script with ant or maven
What prevents HttpSession's id from being stolen?
Best way to share portions of a Maven pom.xml across unrelated projects?
Java convert GIF image to PNG format
Warning for generic varargs
How to send multiple emails in one session?
Getting equal symbol expected while using jstl
setTextViewText not updating widget
SWT: How to do High Quality Image Resize
Illegal start of expression for Annotations
Can a Java HashMap's size() be out of sync with its actual entries' size?
Date convert dd-MMM-yyyy to dd-MM-yyyy in java
Looking for a faster way to perform string searches
Performance of BeanUtils vs. ReflectionToStringBuilder (for use in Bean classes)
set size wont work in java
Apache CXF - credentials not being sent from WSS4JOutInterceptor?
using Object as a mutex in java

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!