cookies icon indicating copy to clipboard operation
cookies copied to clipboard

Published 20 hours ago verified publisher icon pillarjs

base64 cookies

Open jonathanong opened this issue 10 years ago • 7 comments

to avoid issues with cookie strings with ; and stuff.

jonathanong avatar May 13 '14 01:05 jonathanong

to avoid issues with cookie strings with ; and stuff.

Aren't the cookie's name and value URL-encoded (thus wouldn't have the literal ; over the wire)?

dougwilson avatar May 13 '14 02:05 dougwilson

no idea. some tests would help. i think i just read somewhere that you shouldn't send certain values as cookie values. i'm sure most browsers handle this case anyways

jonathanong avatar May 13 '14 02:05 jonathanong

The answer is they are URL-encoded, or not. It's up to the server, as cookie values are opaque ASCII values (see RFC 2965). The server just has to encode it the same way it wants to receive the value; the client does not do anything with the value. I've only seen servers encoding into UTF-8 and escaping the values (with, for example, escape or encodeURIComponent).

But yea, this module could certainly base64-encode the values or URL-encode the values, as long as it decodes them in the same way :D

dougwilson avatar May 13 '14 03:05 dougwilson

meh if we don't need to do it then we shouldn't.

if we're sure node isn't retarded in this aspect, then we can close it

jonathanong avatar May 13 '14 03:05 jonathanong

if we're sure node isn't retarded in this aspect

Now that, I'm not sure about. I already hate how it special handles Cookie header into an array of the headers...

dougwilson avatar May 13 '14 03:05 dougwilson

It looks like node.js shouldn't be touching the values: https://github.com/joyent/node/blob/v0.10.28/lib/http.js#L395-L399

dougwilson avatar May 13 '14 03:05 dougwilson

@dougwilson I did some additional research. RFC2109 specifies this grammar:

 The two state management headers, Set-Cookie and Cookie, have common
 syntactic properties involving attribute-value pairs.  The following
 grammar uses the notation, and tokens DIGIT (decimal digits) and
 token (informally, a sequence of non-special, non-white space
 characters) from the HTTP/1.1 specification [RFC 2068] to describe
 their syntax.

 av-pairs        =       av-pair *(";" av-pair)
 av-pair         =       attr ["=" value]        ; optional value
 attr            =       token
 value           =       word
 word            =       token | quoted-string

You'll note it calls out "token" as from HTTP/1.1, which states this:

      token          = 1*<any CHAR except CTLs or tspecials>

      tspecials      = "(" | ")" | "<" | ">" | "@"
                     | "," | ";" | ":" | "\" | <">
                     | "/" | "[" | "]" | "?" | "="
                     | "{" | "}" | SP | HT

Therefore base64-encoded values when they include "=" need to be quoted strings or URL-encoded. I would recommend always using quoted-strings as that seems like it should always work for a conforming client.

robpaveza avatar Jul 29 '16 16:07 robpaveza