Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how to send a raw cookie? #18661

Open
pfdtk opened this issue May 18, 2021 · 9 comments
Open

how to send a raw cookie? #18661

pfdtk opened this issue May 18, 2021 · 9 comments
Labels
status:ready for adoption Feel free to implement this issue. type:enhancement

Comments

@pfdtk
Copy link

pfdtk commented May 18, 2021

yii2/framework/web/Cookie.php

Line 44 in b33f1a7

public $value = '';

how about to add a property sendRaw, so that we can decide to use setrawcookie or setcookie in the response?
@bizley bizley added status:ready for adoption Feel free to implement this issue. type:enhancement labels May 18, 2021
@samdark
Copy link
Member

samdark commented May 19, 2021

What's your use case?

@pfdtk
Copy link
Author

pfdtk commented May 20, 2021
edited

@samdark
The value portion of the cookie will automatically be urlencoded, but i dont need urlencode

@samdark
Copy link
Member

samdark commented May 20, 2021

Why?

@bizley
Copy link
Member

bizley commented May 20, 2021

I'm not sure what is the reason behind this questioning. There is an option to send raw cookie available and we are not allowing to use it out of the box. The question is not whether it is better to use setrawcookie or setcookie.

@samdark
Copy link
Member

samdark commented May 20, 2021

I've re-read RFC and it seems if you're carefully using ASCII values only you're safe not encoding value. I'd not consider that a good practice though. That's why the question.

@pfdtk
Copy link
Author

pfdtk commented May 21, 2021

Why?

ebaKUq90PhiHck_MR7st-E1SxhbYWiTsLo82mCTbNuAh7rgflx5LVsYfJJseyQCrODuVcJkTSYhm1WKte-l5lQ==

I use this csrf token string, but it will be sended to blowser with

ebaKUq90PhiHck_MR7st-E1SxhbYWiTsLo82mCTbNuAh7rgflx5LVsYfJJseyQCrODuVcJkTSYhm1WKte-l5lQ%3D%3D

then i must decode it before send it back to backend server with http header X-CSRF-Token. It can work, but i think setrawcookie will be better.

@samdark
Copy link
Member

samdark commented May 21, 2021
edited

Alright. So you plan to override Request::generateCsrfToken() and turn on raw mode there? That both makes sense and is controversial. First of all, CSRF token value is written into a meta tag in HTML page source so likely you can read it from there instead. Also, default is that cookie is httpOnly so can't be read from JavaScript at all... If not, using setrawcookie has good and bad parts:

Advantages

No need to call the following on the client side:

function urldecode(url) {
  return decodeURIComponent(url.replace(/\+/g, ' '));
}

Disadvantages

You can't avoid urldecode for any other cookies. Likely can strike you back later if someone will decide to get other cookie values.

@samdark samdark added status:under discussion and removed status:ready for adoption Feel free to implement this issue. labels May 21, 2021
@bizley
Copy link
Member

bizley commented May 21, 2021

Looking at the bigger picture here - it doesn't matter what is the reason for OP to have this feature and whether it's good or bad idea for him - I think there should be an option to send it from the framework like in Symfony, and Laravel (not sure here, maybe from v5 it is possible).

@samdark
Copy link
Member

samdark commented May 21, 2021

Alright. Let's add "raw" mode.

@samdark samdark added status:ready for adoption Feel free to implement this issue. and removed status:under discussion labels May 21, 2021
@samdark samdark mentioned this issue May 21, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status:ready for adoption Feel free to implement this issue. type:enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@samdark @bizley @pfdtk