Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
net/http: Allow double-quoted cookie values #10195
RFC 6265 allows cookie values to be double-quoted. However, the current sanitization code strips the double quotes out of a double-quoted value (i.e., a value beginning with a double quote and ending with a double quote). Ironically, the sanitization code double quotes a value if it begins or ends with a space or comma. The RFC grammar specification allowing the surrounding double quotes is also included in the comments of the sanitizeCookieValue() function.
The inability to double-quote a cookie value is preventing me from duplicating the behavior of a legacy Java system I am replacing.
There was some tangentially related conversation for #7243, but that conversation did not address this issue specifically.
I think you read the RFC wrong.
A cookie value may NOT contain a double quote. It even says so:
A double quote is only encode the value of a cookie when necessary. (like it starting with a space)
Please describe the problem more. A client application shouldn't depend on a cookie being written as
Thanks for the feedback Brad. I am OK with this being closed and I can set the HTTP headers directly like you said.
Just for my own understanding, though, if you don't mind:
But you're referencing the cookie-octet here. There is also a cookie-value specification; this is what I was assuming should be allowed int he Value field for a cookie:
Am I misreading the RFC? Misunderstanding what Go's Cookie.Value field represents?
Go's Cookie.Value is the unencoded value.
The quoting in the RFC is for encoding it.
This snippet should make it clear: http://play.golang.org/p/8vA9El_3iU