-
-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base64 cookies #41
Comments
Aren't the cookie's name and value URL-encoded (thus wouldn't have the literal |
no idea. some tests would help. i think i just read somewhere that you shouldn't send certain values as cookie values. i'm sure most browsers handle this case anyways |
The answer is they are URL-encoded, or not. It's up to the server, as cookie values are opaque ASCII values (see RFC 2965). The server just has to encode it the same way it wants to receive the value; the client does not do anything with the value. I've only seen servers encoding into UTF-8 and escaping the values (with, for example, But yea, this module could certainly base64-encode the values or URL-encode the values, as long as it decodes them in the same way :D |
meh if we don't need to do it then we shouldn't. if we're sure node isn't retarded in this aspect, then we can close it |
Now that, I'm not sure about. I already hate how it special handles |
It looks like node.js shouldn't be touching the values: https://github.com/joyent/node/blob/v0.10.28/lib/http.js#L395-L399 |
@dougwilson I did some additional research. RFC2109 specifies this grammar:
You'll note it calls out "token" as from HTTP/1.1, which states this:
Therefore base64-encoded values when they include "=" need to be quoted strings or URL-encoded. I would recommend always using quoted-strings as that seems like it should always work for a conforming client. |
to avoid issues with cookie strings with
;
and stuff.The text was updated successfully, but these errors were encountered: