Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

base64 cookies #41

Open
jonathanong opened this issue May 13, 2014 · 7 comments
Open

base64 cookies #41

jonathanong opened this issue May 13, 2014 · 7 comments

Comments

@jonathanong
Copy link
Member

to avoid issues with cookie strings with ; and stuff.

@dougwilson
Copy link
Contributor

to avoid issues with cookie strings with ; and stuff.

Aren't the cookie's name and value URL-encoded (thus wouldn't have the literal ; over the wire)?

@jonathanong
Copy link
Member Author

no idea. some tests would help. i think i just read somewhere that you shouldn't send certain values as cookie values. i'm sure most browsers handle this case anyways

@dougwilson
Copy link
Contributor

The answer is they are URL-encoded, or not. It's up to the server, as cookie values are opaque ASCII values (see RFC 2965). The server just has to encode it the same way it wants to receive the value; the client does not do anything with the value. I've only seen servers encoding into UTF-8 and escaping the values (with, for example, escape or encodeURIComponent).

But yea, this module could certainly base64-encode the values or URL-encode the values, as long as it decodes them in the same way :D

@jonathanong
Copy link
Member Author

meh if we don't need to do it then we shouldn't.

if we're sure node isn't retarded in this aspect, then we can close it

@dougwilson
Copy link
Contributor

if we're sure node isn't retarded in this aspect

Now that, I'm not sure about. I already hate how it special handles Cookie header into an array of the headers...

@dougwilson
Copy link
Contributor

It looks like node.js shouldn't be touching the values: https://github.com/joyent/node/blob/v0.10.28/lib/http.js#L395-L399

@Fishrock123 Fishrock123 added this to the 1.0.0 milestone Jun 19, 2014
@robpaveza
Copy link

@dougwilson I did some additional research. RFC2109 specifies this grammar:

 The two state management headers, Set-Cookie and Cookie, have common
 syntactic properties involving attribute-value pairs.  The following
 grammar uses the notation, and tokens DIGIT (decimal digits) and
 token (informally, a sequence of non-special, non-white space
 characters) from the HTTP/1.1 specification [RFC 2068] to describe
 their syntax.

 av-pairs        =       av-pair *(";" av-pair)
 av-pair         =       attr ["=" value]        ; optional value
 attr            =       token
 value           =       word
 word            =       token | quoted-string

You'll note it calls out "token" as from HTTP/1.1, which states this:

      token          = 1*<any CHAR except CTLs or tspecials>

      tspecials      = "(" | ")" | "<" | ">" | "@"
                     | "," | ";" | ":" | "\" | <">
                     | "/" | "[" | "]" | "?" | "="
                     | "{" | "}" | SP | HT

Therefore base64-encoded values when they include "=" need to be quoted strings or URL-encoded. I would recommend always using quoted-strings as that seems like it should always work for a conforming client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants