[issue2193] Cookie Colon Name Bug

karl report at bugs.python.org
Wed Jan 5 14:23:38 CET 2011 

karl <karl+pythonbugs at la-grange.net> added the comment:

John: Ah sorry, if I misunderstood. The bug seems to say that it is about the Cookie Name and legal chars for this cookie name. What I was trying to say is that the processing of the Cookie Name is different depending if you are a client or a server *and* that there is a specification being developed by Adam Barth (part of browser vendors) to obsolete RFC 2109. 

In the case of Server sending to the Client
    Set-Cookie: Name=Value

The rules for production of the cookies must be strict. Always. aka the module is used for creating a cookie and indeed the "colon" character is forbidden. The "token" syntax for valid chars and invalid chars are defined now in RFC2696. It means that any US-ASCII characters EXCEPT those are authorized: 

control characters (octets 0-31) and DEL (octet 127) and, the following characters “(“, “)”, “<”, “>”, “@”, “,”, “;”, “:”, “", “/”, “[“, “]”, “?”, “=”, “{“, “}”, the double quote character itself, US-ASCII SP (octet 32) or the tabulation (octet 9)

Then if you use the Cookie Module for a client it is not anymore the same story.


In the case of Client storing the value of the cookie sent by a server.
See the section "5.2.  The Set-Cookie Header", 
http://tools.ietf.org/html/draft-ietf-httpstate-cookie-20#section-5.2

quote:
  
    If the user agent does not ignore the Set-Cookie header
    field in its entirety, the user agent MUST parse the
    field-value of the Set-Cookie header field as a
    set-cookie-string (defined below).
    
    NOTE: The algorithm below is more permissive than the
    grammar in Section 4.1. For example, the algorithm strips
    leading and trailing whitespace from the cookie name and
    value (but maintains internal whitespace), whereas the
    grammar in Section 4.1 forbids whitespace in these
    positions. User agents use this algorithm so as to
    interoperate with servers that do not follow the
    recommendations in Section 4."

/quote

then the algorithm is described. Which means that what the server will parse will not be necessary what the server have generated. 

Section 5.4 says how the Cookie Header should be sent to the server with an algorithm for what will receive the server.

John, do you think there is a missing algorithm for parsing the value of cookie header when sent by the client?

----------

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue2193>
_______________________________________

More information about the Python-bugs-list mailing list