Skip to content

/go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: cookie name can't contain "[" and "]" #20429

Closed
mlaraluna opened this issue May 19, 2017 · 2 comments

Comments

Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation help wanted
Projects
None yet
Milestone
No milestone
5 participants
@mlaraluna @bradfitz @vdobler @kevinburke @gopherbot
@mlaraluna
Copy link

commented May 19, 2017

Golang 1.8, Ubuntu 16.04 64 Bit, Golang cannot using [ and ] for cookie name. for example
ck1 := http.Cookie{
Name: "[id]",
Value: "12345",
HttpOnly: true,
}
http.SetCookie(w, &ck1)

it will not be set,

it happen in httpserver and http client, for example this website ricardoalcala.com will set cookies that contain [ and ] in cookies name, if i make http request using cookiejar that cookie will not be save.

@bradfitz bradfitz changed the title Cookie name can't contain "[" and "]" net/http: cookie name can't contain "[" and "]" May 19, 2017

@bradfitz bradfitz added help wanted NeedsInvestigation labels May 19, 2017

@bradfitz

This comment has been minimized.

Sign in to view
Copy link
Member

commented May 19, 2017

/cc @odeke-em @nigeltao @vdobler
@vdobler

This comment has been minimized.

Sign in to view
Copy link
Contributor

commented May 20, 2017

From https://tools.ietf.org/html/rfc6265#section-4.1.1: cookie-name is a "token2 defined
in https://tools.ietf.org/html/rfc2616#section-2.2 which is:

token          = 1*<any CHAR except CTLs or separators>
separators     = "(" | ")" | "<" | ">" | "@"
                  | "," | ";" | ":" | "\" | <">
                  | "/" | "[" | "]" | "?" | "="
                  | "{" | "}" | SP | HT

So: works as intended as a valid cookie-name must contain neither "[" nor "]".

If ricardoalcala.com really tries to set cookies with [ or ] in the name, then it is
the fault of ricardoalcala.com. In that case it is still possible to access, parse
and handle the Set-Cookie header by hand and implement non-standard
behaviour.

@kevinburke kevinburke closed this May 20, 2017

@golang golang locked and limited conversation to collaborators May 20, 2018

@gopherbot gopherbot added the FrozenDueToAge label May 20, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.