SignalR.Owin incorrectly parses cookeis #1778

Open
desunit opened this Issue Apr 1, 2013 · 2 comments

Comments

Projects
None yet
2 participants
@desunit

desunit commented Apr 1, 2013

I've found SignalR.Owin incorrectly interprets cookies:https://github.com/SignalR/SignalR/blob/master/src/Microsoft.AspNet.SignalR.Owin/ServerRequest.cs#L117

It uses the same code as URL parser which is not correct and causes many problems especially when SessionID contains plus (+) sign.

According to RFC 2109 value has to be:

(... a sequence of non-special, non-white space characters) from the HTTP/1.1 specification [RFC 2068] to describe their syntax.

The quick fix could be modifying that code so it suppresses "+" replacing:
https://github.com/SignalR/SignalR/blob/master/src/Microsoft.AspNet.SignalR.Owin/Infrastructure/UrlDecoder.cs#L45

Another issue with the current code that cookie value could be "quoted" then it wouldn't be correctly handled either.

@davidfowl

This comment has been minimized.

Show comment
Hide comment
@davidfowl

davidfowl May 13, 2013

Member

I believe this is fixed in the latest dev.

Member

davidfowl commented May 13, 2013

I believe this is fixed in the latest dev.

@davidfowl

This comment has been minimized.

Show comment
Hide comment
@davidfowl

davidfowl Jun 25, 2013

Member

We're using Microsoft.Owin in the dev branch which fixes this issue. We're currently not planning to release another 1.1.x at the moment, but if we do we'll see what we can do about this fix.

Member

davidfowl commented Jun 25, 2013

We're using Microsoft.Owin in the dev branch which fixes this issue. We're currently not planning to release another 1.1.x at the moment, but if we do we'll see what we can do about this fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment