Treat first name/value pair in Set-Cookie: as the cookie name [RFC compliance] #709

Closed
bagder opened this Issue Mar 9, 2016 · 0 comments

Projects

None yet

1 participant

@bagder
Member
bagder commented Mar 9, 2016

RFC 6265 section 4.1.1 spells out that the first name/value pair in the header is the actual cookie name and content, while the following are the parameters.

libcurl currently has a more liberal approach which causes significant problems when introducing new cookie parameters, like the suggested new cookie priority draft.

The current parser gets all n/v pairs and the first name isn't a known parameter will be considered the cookie, thus accepting Set-Cookie: Max-Age=2; name=daniel while an RFC compliant parser should consider that to be a cookie named 'Max-Age'.

@bagder bagder added the HTTP label Mar 9, 2016
@bagder bagder added a commit that closed this issue Mar 10, 2016
@bagder bagder cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
RFC 6265 section 4.1.1 spells out that the first name/value pair in the
header is the actual cookie name and content, while the following are
the parameters.

libcurl previously had a more liberal approach which causes significant
problems when introducing new cookie parameters, like the suggested new
cookie priority draft.

The previous logic read all n/v pairs from left-to-right and the first
name used that wassn't a known parameter name would be used as the
cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
a cookie named 'person' while an RFC 6265 compliant parser should
consider that to be a cookie named 'Max-Age' with an (unknown) parameter
'person'.

Fixes #709
7f7fcd0
@bagder bagder closed this in 7f7fcd0 Mar 10, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment