Menu
When setting cookies, PHP url-encodes the cookie value (at least when not using setrawcookie) and it url-decodes the cookie value before making it available to the application in $_COOKIE.
Is this an accepted standard? If I set a raw cookie value of a%3Db, would I get back a=b in most web programming languages (through their respective cookie-reading mechanisms)?
415
55951 – HTML5 specifies UTF-8 encoding for cookie values.
Why do we need to encode? URLs can only have certain characters from the standard 128 character ASCII set. Reserved characters that do not belong to this set must be encoded. This means that we need to encode these characters when passing into a URL.
Cookies are always base64 and JSON encoded #158.
Cookies are plain text; they contain no executable code. A web page or server instructs a browser to store this information and then send it back with each subsequent request based on a set of rules.
sytech's answer (which I have accepted) is certainly correct as it quotes the spec, but since the spec is rather vague, here's an overview how some web frameworks actually handle the matter:
RFC6265: "for example Base64" PHP: URL encode Go: raw Node.js + Express: URL encode 
answered Sep 22 '22 08:09
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With