Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: document that SetCookie name must be valid #9758

Closed
carbocation opened this issue Feb 3, 2015 · 4 comments

Comments

Projects
None yet
4 participants
@carbocation
Copy link

commented Feb 3, 2015

In net/http, before cookies are read, they are checked to ensure they have a valid name. However, when setting a cookie, an invalid name may be used; rather than being permitted, this should trigger an error.

There is further discussion on the gorilla sessions topic in which it was suggested that I raise this possibility here.

To answer the questions in the guidelines:
What version of Go are you using (go version)? 1.4
What operating system and processor architecture are you using? OS X 64-bit
What did you do? Created a cookie with an empty name (or spaces, or other invalid characters) and set it in a way that was seemingly successful.
What did you expect to see? I expected to see an error.
What did you see instead? I saw my cookie get set, but I could not read it (as its name is invalid, and correctly filtered out on the reading end of things).

@mikioh mikioh changed the title net/http should reject setting cookies with invalid names net/http: should reject setting cookies with invalid names Feb 3, 2015

@bradfitz

This comment has been minimized.

Copy link
Member

commented Feb 3, 2015

I'm not sure there's anything to do here. We can't change the signature to return an error, and a panic would be unexpected.

This might just be "Status: Unfortunate".

Maybe we just add documentation to say that the cookie name must be valid on Set-Cookie.

@bradfitz bradfitz added this to the Go1.5 milestone Feb 3, 2015

@carbocation

This comment has been minimized.

Copy link
Author

commented Feb 3, 2015

Your point is well taken. Documentation would be valuable - and I wonder if a signature change for 2.0 could be considered (if I am correctly recalling the go compatibility guarantees)?

@adg

This comment has been minimized.

Copy link
Contributor

commented Feb 3, 2015

@carbocation sure, the http package will change dramatically in 2.0. Lots of improvements to be made with API changes.

@rsc rsc changed the title net/http: should reject setting cookies with invalid names net/http: document that SetCookie name must be valid Jun 29, 2015

@gopherbot

This comment has been minimized.

Copy link

commented Jun 30, 2015

CL https://golang.org/cl/11701 mentions this issue.

@bradfitz bradfitz closed this in 9462bce Jun 30, 2015

@golang golang locked and limited conversation to collaborators Jun 29, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.