New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Quoted cookie value in Set-Cookie header #1170

Closed
nnposter opened this Issue Apr 1, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@nnposter

nnposter commented Apr 1, 2018

Parser for Set-Cookie header (function parse_set_cookie in http.lua) is currently treating cookie values enclosed in double quotes as intuitively expected: The string inside the quotes becomes the parsed cookie value.

However, the header syntax described in RFC 6265, section 4.1.1 does not seem to specify such behavior. While not stated explicitly, the surrounding quotes are meant to remain part of the cookie value.

Preserving the quotes appears consistent with Firefox, IE, and presumably other browsers. There are also server applications that break when these quotes are stripped off.

I am proposing to modify the parser to align it with the browser behavior. (I will be happy to implement the change but some discussion might be in order.)

Set-Cookie: aaa="b\"bb"; Path = "ddd eee" fff

...will be parsed as:

key old value new value
name aaa aaa
value b"bb "b\"bb"
path ddd eee "ddd eee" fff
@nnposter

This comment has been minimized.

Show comment
Hide comment
@nnposter

nnposter Apr 25, 2018

Resolved with r37235 (23d61f5)

nnposter commented Apr 25, 2018

Resolved with r37235 (23d61f5)

@nnposter nnposter closed this Apr 25, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment