Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why do cookie values with whitespace arrive at the client side with quotes?

When you set a cookie value with one of the following values as mentioned in Cookie#setValue(),

With Version 0 cookies, values should not contain white space, brackets, parentheses, equals signs, commas, double quotes, slashes, question marks, at signs, colons, and semicolons. Empty values may not behave the same way on all browsers.

then the average container will implicitly set the cookie to version 1 (RFC 2109 spec) instead of the default version 0 (Netscape spec). The behaviour is not specified by the Servlet API, the container is free to implement it (it may for example throw some IllegalArgumentException). As far as I know, Tomcat, JBoss AS and Glassfish behave all the same with regard to implicitly changing the cookie version. For at least Tomcat and JBoss AS this is the consequence of fixes for this security issue.

A version 1 cookie look like this:

name="value with spaces";Max-Age=3600;Path=/;Version=1

while a version 0 compatible cookie look like this:

name=value%20with%20spaces;Expires=Mon, 29-Aug-2011 14:30:00 GMT;Path=/

(note that an URL-encoded value is valid for version 0)

Important note is that Microsoft Internet Explorer doesn't support version 1 cookies. Even not the current IE 11 release. It'll interpret the quotes being part of the whole cookie value and will treat and return that accordingly. It does not support the Max-Age attribute and it'll ignore it altogether which causes that the cookie's lifetime defaults to the browser session. You was apparently using IE to test the cookie handling of your webapp.

To support MSIE as well, you really need to URL-encode and URL-decode the cookie value yourself if it contains possibly characters which are invalid for version 0.

Cookie cookie = new Cookie(name, URLEncoder.encode(value, "UTF-8"));
// ...

and

String value = URLDecoder.decode(cookie.getValue(), "UTF-8"));
// ...

In order to support version 1 cookies for the worldwide audience, you'll really wait for Microsoft to fix the lack of MSIE support and that the browser with the fix has become mainstream. In other words, it'll take ages (update: as of now, 5+ years later, it doesn't seem to ever going to happen). In the meanwhile you'd best stick to version 0 compatible cookies.


As far as I know, spaces must be encoded in cookies. Different browsers react differently to un-encoded cookies. You should URL-encode your cookie before setting it.

String cookieval = "my value";
String cookieenc = URLEncoder.encode(cookieval, "UTF-8");
res.addCookie(new Cookie("myCookieName", cookieenc));

ASP.NET does the encoding automatically, in Java you have to do it yourself. I suspect the quotes you see are added by the user agent.


It probably has to do with the way Java encodes the cookie. I suggest you try calling setVersion(1) on the new cookie and see if that works for you.


Try using setVersion(0).

HttpCookie cookie = new HttpCookie("name", "multi word value");
System.out.println(cookie.toString());

prints:

name="several word value"

But after setting

cookie.setVersion(0);
System.out.println(cookie.toString());

prints:

name=several word value

Encoding is a good idea too, but the quotes around the value look to be an independent issue.