yii2 icon indicating copy to clipboard operation
yii2 copied to clipboard
verified publisher icon yiisoft

how to send a raw cookie?

Open pfdtk opened this issue 4 years ago • 9 comments

https://github.com/yiisoft/yii2/blob/b33f1a7ecb71bef0f2cd1b68f0b770980a8ef39c/framework/web/Cookie.php#L44

how about to add a property sendRaw, so that we can decide to use setrawcookie or setcookie in the response?

pfdtk avatar May 18 '21 02:05 pfdtk

What's your use case?

samdark avatar May 19 '21 11:05 samdark

@samdark The value portion of the cookie will automatically be urlencoded, but i dont need urlencode

pfdtk avatar May 20 '21 09:05 pfdtk

Why?

samdark avatar May 20 '21 13:05 samdark

I'm not sure what is the reason behind this questioning. There is an option to send raw cookie available and we are not allowing to use it out of the box. The question is not whether it is better to use setrawcookie or setcookie.

bizley avatar May 20 '21 13:05 bizley

I've re-read RFC and it seems if you're carefully using ASCII values only you're safe not encoding value. I'd not consider that a good practice though. That's why the question.

samdark avatar May 20 '21 19:05 samdark

Why?

ebaKUq90PhiHck_MR7st-E1SxhbYWiTsLo82mCTbNuAh7rgflx5LVsYfJJseyQCrODuVcJkTSYhm1WKte-l5lQ==

I use this csrf token string, but it will be sended to blowser with

ebaKUq90PhiHck_MR7st-E1SxhbYWiTsLo82mCTbNuAh7rgflx5LVsYfJJseyQCrODuVcJkTSYhm1WKte-l5lQ%3D%3D

then i must decode it before send it back to backend server with http header X-CSRF-Token. It can work, but i think setrawcookie will be better.

pfdtk avatar May 21 '21 04:05 pfdtk

Alright. So you plan to override Request::generateCsrfToken() and turn on raw mode there? That both makes sense and is controversial. First of all, CSRF token value is written into a meta tag in HTML page source so likely you can read it from there instead. Also, default is that cookie is httpOnly so can't be read from JavaScript at all... If not, using setrawcookie has good and bad parts:

Advantages

No need to call the following on the client side:

function urldecode(url) {
  return decodeURIComponent(url.replace(/\+/g, ' '));
}

Disadvantages

You can't avoid urldecode for any other cookies. Likely can strike you back later if someone will decide to get other cookie values.

samdark avatar May 21 '21 06:05 samdark

Looking at the bigger picture here - it doesn't matter what is the reason for OP to have this feature and whether it's good or bad idea for him - I think there should be an option to send it from the framework like in Symfony, and Laravel (not sure here, maybe from v5 it is possible).

bizley avatar May 21 '21 07:05 bizley

Alright. Let's add "raw" mode.

samdark avatar May 21 '21 22:05 samdark