Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is comma a valid character in cookie-value

Tags:

http

cookies

In some web server, cookie with a comma in value will be split into two cookie (one with empty value). For example, "foo=bar,goo" will be treated just like "foo=bar;goo=". Is this right according to RFC?

I find this RFC document but don't know exactly what it means.

cookie-pair       = cookie-name "=" cookie-value
cookie-name       = token
cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                   ; US-ASCII characters excluding CTLs,
                   ; whitespace DQUOTE, comma, semicolon,
                   ; and backslash

RFC 6265

like image 206
leetom Avatar asked Aug 19 '14 15:08

leetom

People also ask

What characters are allowed in cookies?

A cookie definition begins with a name-value pair. A <cookie-name> can contain any US-ASCII characters except for: the control character, space, or a tab.

Can a cookie have a semicolon in it?

Semicolon is not allowed in cookies.

Can cookie values have spaces?

Show activity on this post. When you set a cookie value with one of the following values as mentioned in Cookie#setValue() , With Version 0 cookies, values should not contain white space, brackets, parentheses, equals signs, commas, double quotes, slashes, question marks, at signs, colons, and semicolons.

Can cookie names have spaces?

when browsers output a cookie with an empty name, they omit the equals sign. So Set-Cookie: =bar begets Cookie: bar . commas and spaces in names and values do actually seem to work, though spaces around the equals sign are trimmed. control characters ( \x00 to \x1F plus \x7F ) aren't allowed.

1 Answers

cookie-pair       = cookie-name "=" cookie-value
cookie-name       = token
cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                   ; US-ASCII characters excluding CTLs,
                   ; whitespace DQUOTE, comma, semicolon,
                   ; and backslash

What are those keywords: cookie-pair, cookie-name, cookie-value, cookie-octet?

cookie-value is the right-side part of =.

cookie-octet is the real value, enclosed in double quotes or nothing. See:

key="value"

or

key=value

When you put in a , (or ;) see what happens:

key="value,",key2="value2"

or

key=value,,key2=value2

So, your assumption is not quite correct and you must not use comma or semicolon inside the value.

like image 176
Daniel W. Avatar answered Sep 25 '22 22:09

Daniel W.
Sign in to Comment

Related questions

angular $http / jquery complete equivalent
How do you make an etag that matches Apache?
Do most browsers make multiple HTTP Requests when displaying a PDF from within the browser
Can the Location header be used for multiple resource locations in a 201 Created response?
In HTTP protocol what is the difference between ETag and Content-MD5?
OPTIONS request authentication
Multiple Vary HTTP headers or one combined?
What is the best HTTP status code for blocked user profile in rails api?
Why is Brotli not supported on HTTP?
HTTP2: different domain but same IP, multiple connection or one connection?
Size of uploaded file
What status code should I return for a non AJAX request to an AJAX only URL?
How to debug Lua remotely?
PHP session HTTP to HTTPS problem
Can't find HttpWebRequest.GetResponse() in WP7 Project
Logging HTTP requests/responses with Fiddler on Android emulator
Calling HTTPS from HTTP through AJAX for login
How to handle "OPTIONS *" request in nginx?
Create a mjpeg stream from jpeg images in python
How to disable 'withcredentials' in HTTP header with node.js and Request package?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!