httpd-apreq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Schaefer <>
Subject Re: comma in cookie value
Date Fri, 14 Jan 2005 03:00:29 GMT
"Eric J. Hansen" <> writes:

> Apologies in advance as this is not a dev issues.
> I need to handle a cookies whose value includes a bare comma.  Example
> of the name=value is as follows:
> 62761POE=<aagwww1935528372764,>
> Unfortunately, I don't have any control over the value that's being
> set, and its causing apreq to incorrecly decode both the cookie and
> one that's sent by the browser just after it.  Any suggestions on how
> to get apreq to parse the cookie value properly?  (aide from not using
> apreq's cookie and rolling my own...)

By any standard, that Cookie header string (assuming that's what it is) 
is defective.  One way to work around it is to write an early hook (or a 
protocol filter) into apache that detects the bogus ","-char in the
Cookie header.  Make that thing url-escape it (%2C) before mod_apreq
starts looking at r->headers_in.


> p.s. is it just me, or is the Netscape cookie spec ambiguous?

It is, but IMO the later RFC Cookie specs aren't a whole lot 
better in that regard.

> "This [cookie value] string is a sequence of characters excluding
> semi-colon, comma and white space. If there is a need to place such
> data in the name or value, some encoding method such as URL style %XX
> encoding is recommended, though no encoding is defined or
> required".....  so you shouldn't use semi-colon, comma or white space,
> but if you must then encoding is recommended, but not required?

What this means for libapreq is that we aren't supposed to unescape
the value for you (and we aren't going to support an embedded ","
either).  We have to treat the cookie value as an opaque string.
But if your application knows how the cookie was originally encoded,
feel free to decode it (%2C -> ',') within your application.

Joe Schaefer

View raw message