New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: drop spaces in SetCookie values #3033
Labels
Milestone
Comments
Don't use cookies with spaces in them. Your example works fine if you use "myvalue" instead of "my value". The Cookie parser rejects cookie values with spaces in them. This might or might not be a mistake SetCookie blindly sends cookies with spaces in them, which also might or might not be a mistake. This can probably wait until after Go 1. Full test program: package main import ( "fmt" "net/http" "log" "time" ) func main() { http.HandleFunc("/", setcookie) http.HandleFunc("/readcookie", readcookie) log.Fatal(http.ListenAndServe("127.0.0.1:8080", nil)) } func setcookie(w http.ResponseWriter, req *http.Request) { expiration := time.Now().AddDate(1, 0, 0) cookie := http.Cookie{Name: "foo", Value: "myvalue", Expires: expiration} http.SetCookie(w, &cookie) http.Redirect(w, req, "/readcookie", 307) } func readcookie(w http.ResponseWriter, req *http.Request) { c, err := req.Cookie("foo") fmt.Fprintf(w, "foo: %v %v\n", c, err) fmt.Fprintf(w, "all:\n") for _, c := range req.Cookies() { fmt.Fprintf(w, "\t%s\n", c) } } Labels changed: added priority-later, removed priority-triage. Owner changed to builder@golang.org. Status changed to Accepted. |
According to RFC 6265 spaces are not allowed in the value of a cookie (not even if double-quoted). See http://tools.ietf.org/html/rfc6265#section-4.1.1 Unfortunately RFC 2109 did allow spaces in double quoted values. RFC 6265 is pretty clear that the cookie-value is not a string but just some octets. Section 4.1.1 states that values should be encoded and suggests Base64. See also note at end of section 5.4. As SetCookie does not return an error its possibilities on an invalid cookie value are limited: - set the given (invalid) value (current behaviour) - ignore the cookie - panic - encode the value As it is called SetCookie and not MustSetCookie panic is not an option. Just ignoring it without any feedback is unpolite. Encoding the value is a hairy issue as there is no single right way to do it. Go typically is very explicit, so an implicit, automatic encoding in SetCookie if the value contains illegal characters feels strange. Additionally it adds the overhead of deciding whether to encode or not to any call. I'd suggest a better documentation of SetCookie with an example of how to manually encode the cookie value beforehand. |
Issue #4613 has been merged into this issue. |
Dunno how I missed those. Okay log.Print + drop (ignore) spaces, then? I don't think we should omit the cookie entirely: I think it will be easier for people to debug if we're sending _something_. Rewriting spaces to underscores is fine too. I thought about rewriting to ␣ but I bet UTF-8 is not allowed in cookie values. |
https://golang.org/cl/12204043 Status changed to Started. |
This issue was closed by revision 17d803d. Status changed to Fixed. |
Issue #5999 has been merged into this issue. |
This was referenced Dec 8, 2014
Closed
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
by frel8817:
The text was updated successfully, but these errors were encountered: