Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Cookie names do not respect case #71

Firehed opened this Issue · 1 comment

2 participants

Firehed Assaf Arkin

If the server sends a cookie with an uppercase name (ex. PHP's default session cookie, PHPSESSID), Zombie sends that cookie back to the server with a lowercased name on subsequent requests, which may cause the server to ignore it.

{ server: 'nginx/0.7.67'
, date: 'Sun, 30 Jan 2011 22:33:21 GMT'
, 'content-type': 'text/html; charset=UTF-8'
, 'transfer-encoding': 'chunked'
, connection: 'close'
, vary: 'Accept-Encoding'
, 'set-cookie': 'PHPSESSID=hr1o146trejdk09tlb2pnuavd4; path=/;'
, expires: 'Thu, 19 Nov 1981 08:52:00 GMT'
, 'cache-control': 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0'
, pragma: 'no-cache'
The above value (lowercased key) is mirrored at the server on subsequent requests.

This is my first time trying to submit a patch to github so hopefully it works :) I just skimmed the cookie RFC and it doesn't look like any case mangling should occur.

From 18dacaa9e5f85c6f6ea9ea52fa5e9462e79c66f7 Mon Sep 17 00:00:00 2001
From: Eric Stern <>
Date: Sun, 30 Jan 2011 14:49:57 -0800
Subject: [PATCH] Correct issue where cookie names did not respect case

 src/zombie/ |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/src/zombie/ b/src/zombie/
index def8c0f..2f4a410 100644
--- a/src/zombie/
+++ b/src/zombie/
@@ -66,7 +66,6 @@ class Cookies
     this.set = (name, value, options = {})->
       return if options.domain && !domainMatch(options.domain, hostname)

-      name = name.toLowerCase()
       state = { value: value.toString() }
       if options.expires
         state.expires = options.expires.getTime()
Assaf Arkin

Thanks, fixed in head.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.