发表新帖
发表新帖

What are allowed characters in cookies?

前端 未结
关注
13 1018
佛祖请我去吃肉
佛祖请我去吃肉 2020-11-22 03:36

What are the allowed characters in both cookie name and value? Are they same as URL or some common subset?

Reason I\'m asking is that I\'ve recently hit some strange

相关标签:
13条回答
  • 面向向阳花
    2020-11-22 04:18

    I ended up using 

    cookie_value = encodeURIComponent(my_string);

    and

    my_string = decodeURIComponent(cookie_value);

    That seems to work for all kinds of characters. I had weird issues otherwise, even with characters that weren't semicolons or commas.

    0 讨论(0)
  • 半阙折子戏
    2020-11-22 04:25

    you can not put ";" in the value field of a cookie, the name that will be set is the string until the ";" in most browsers...

    0 讨论(0)
  • 有刺的猬
    2020-11-22 04:26

    There is another interesting issue with IE and Edge. Cookies that have names with more than 1 period seem to be silently dropped. So This works:

    cookie_name_a=valuea

    while this will get dropped

    cookie.name.a=valuea

    0 讨论(0)
  • 长情又很酷
    2020-11-22 04:26

    If you are using the variables later, you'll find that stuff like path actually will let accented characters through, but it won't actually match the browser path. For that you need to URIEncode them. So i.e. like this:

      const encodedPath = encodeURI(myPath);
  document.cookie = `use_pwa=true; domain=${location.host}; path=${encodedPath};`

    So the "allowed" chars, might be more than what's in the spec. But you should stay within the spec, and use URI-encoded strings to be safe.

    0 讨论(0)
  • 闹比i
    2020-11-22 04:27

    In ASP.Net you can use System.Web.HttpUtility to safely encode the cookie value before writing to the cookie and convert it back to its original form on reading it out.

    // Encode
HttpUtility.UrlEncode(cookieData);

// Decode
HttpUtility.UrlDecode(encodedCookieData);

    This will stop ampersands and equals signs spliting a value into a bunch of name/value pairs as it is written to a cookie.

    0 讨论(0)
  • 甜味超标
    2020-11-22 04:27

    Here it is, in as few words as possible. Focus on characters that need no escaping:

    For cookies:

    abdefghijklmnqrstuvxyzABDEFGHIJKLMNQRSTUVXYZ0123456789!#$%&'()*+-./:<>?@[]^_`{|}~

    For urls

    abdefghijklmnqrstuvxyzABDEFGHIJKLMNQRSTUVXYZ0123456789.-_~!$&'()*+,;=:@

    For cookies and urls ( intersection )

    abdefghijklmnqrstuvxyzABDEFGHIJKLMNQRSTUVXYZ0123456789!$&'()*+-.:@_~

    That's how you answer.

    Note that for cookies, the = has been removed because it is usually used to set the cookie value.

    For urls this the = was kept. The intersection is obviously without. 

    var chars = "abdefghijklmnqrstuvxyz"; chars += chars.toUpperCase() + "0123456789" + "!$&'()*+-.:@_~";

    Turns out escaping still occuring and unexpected happening, especially in a Java cookie environment where the cookie is wrapped with double quotes if it encounters the last characters.

    So to be safe, just use A-Za-z1-9. That's what I am going to do.

    0 讨论(0)
 看不清?
提交回复
热议问题