Skip to content

SignalR.Owin incorrectly parses cookeis #1778

Open
desunit opened this Issue Apr 1, 2013 · 2 comments

2 participants

@desunit
desunit commented Apr 1, 2013

I've found SignalR.Owin incorrectly interprets cookies:https://github.com/SignalR/SignalR/blob/master/src/Microsoft.AspNet.SignalR.Owin/ServerRequest.cs#L117

It uses the same code as URL parser which is not correct and causes many problems especially when SessionID contains plus (+) sign.

According to RFC 2109 value has to be:

(... a sequence of non-special, non-white space characters) from the HTTP/1.1 specification [RFC 2068] to describe their syntax.

The quick fix could be modifying that code so it suppresses "+" replacing:
https://github.com/SignalR/SignalR/blob/master/src/Microsoft.AspNet.SignalR.Owin/Infrastructure/UrlDecoder.cs#L45

Another issue with the current code that cookie value could be "quoted" then it wouldn't be correctly handled either.

@davidfowl
SignalR member

I believe this is fixed in the latest dev.

@davidfowl
SignalR member

We're using Microsoft.Owin in the dev branch which fixes this issue. We're currently not planning to release another 1.1.x at the moment, but if we do we'll see what we can do about this fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.