Invalid cookie value - cookie has spaces

[danielb2]

ref #2513

I came across the issue above with a website I'm migrating that has improperly escaped cookies with spaces in them. When trying to access a hapi server with those cookies, hapi fails with the error

{"statusCode":400,"error":"Bad Request","message":"Invalid cookie value"}

Because it's using legacy code, the cookies are stored on the user client.

Thoughts on how to handle this?

[hueniverse]

Did you try turning strict cookie parsing off?

[danielb2]

Are you talking about disabling parsing for cookies altogether, or is there one specifically to parse it still, just not in a "strict" way ? The latter I can't find

[hueniverse]

https://github.com/hapijs/statehood/blob/master/lib/index.js#L20

[danielb2]

I tried this before asking, but looks like I had missed one cookie name. 😓

[danielb2]

Oh, and thanks

[danielb2]

This came up again in a different context.

I tried using server.state('SESSIONID', { strictHeader: false }); however, that fails.

The only thing that worked is setting the config to option to state: { parse: false }

I looked at https://github.com/hapijs/hapi/blob/master/lib/connection.js#L78 but it looks like the server.state has an impact here per cookie.

What am I missing this time? Is it just not possible to configure per cookie?

[hueniverse]

How is the cookie invalid?

[danielb2]

 const headers = {
     Cookie: 'SESSIONID=4/7/2016 18:31:45 PM'
 };
 server.inject({ method: 'GET', url: url, headers: headers }, (res) => {

this will cause the error. removing the spaces causes it to work

[hueniverse]

Can you PR a test case showing how setting a single cookie config fails?

[danielb2]

going to close this either way

[carraher]

rather than setting parse:false I have worked around this by setting

      "routes":
            "state" : {
              "parse": true,
              "failAction": "ignore"
            }
      }

[tombh]

I just want to explain why @carraher's solution above worked for me. I'm using the hapi-cookie-auth plugin, which doesn't support the ignoreErrors: true option. I was in the situation of upgrading a site that had set, what that plugin would consider, invalid cookies. So I didn't want to create a single server.state() line just to ignore the errors on that one bad cookie name. That's why @carraher's more generic approach worked for me. Thanks.