Skip to content

SignalR.Owin incorrectly parses cookeis #1778

desunit opened this Issue Apr 1, 2013 · 2 comments

2 participants

desunit commented Apr 1, 2013

I've found SignalR.Owin incorrectly interprets cookies:

It uses the same code as URL parser which is not correct and causes many problems especially when SessionID contains plus (+) sign.

According to RFC 2109 value has to be:

(... a sequence of non-special, non-white space characters) from the HTTP/1.1 specification [RFC 2068] to describe their syntax.

The quick fix could be modifying that code so it suppresses "+" replacing:

Another issue with the current code that cookie value could be "quoted" then it wouldn't be correctly handled either.

SignalR member

I believe this is fixed in the latest dev.

SignalR member

We're using Microsoft.Owin in the dev branch which fixes this issue. We're currently not planning to release another 1.1.x at the moment, but if we do we'll see what we can do about this fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.