cookie spec

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Anyone know where I can find info on the cookie spec? I seem to be having a  
problem(after hours of narrowing it down) where I am using some special  
characters that are not allowed in a cookie name or data.

What I'm essentially doing is encrypting the name/data then encoding it  
using base64 but base64 uses the special characters +, /, and =. They seem  
to be causing problems with the cook being written or read.  I have mapped  
the ='s into _ and can map the + into - because I think those work for  
cookies but I am not sure... and then I have the issue with the /. (which  
I'm thinking of using _ for it too but have to handle the case where it  
occurs at the end of the string to be encoded(Which will cause it to be  
confused with the padding).

Any ideas? This is driving me nuts ;/ (thought it was my encryption part and  
spent hours on debugging that ;)


Re: cookie spec

Quoted text here. Click to load it

Interesting problem Jon,

I'm not really sure that the spec will help you, but just in case, you
can read it here:

The cookie is commonly transported simply as a header extension to the
HTTP protocol, so that spec is probably more relevant:

Also make sure you are setting the cookie using the php method
setrawcookie(). If using setcookie(), are you accounting for the
automatic urlencod'ing that php does to your cookie value?

Hope that helps,

Re: cookie spec

Quoted text here. Click to load it


token          = 1*<any CHAR except CTLs or separators>
separators     = "(" | ")" | "<" | ">" | "@"
                     | "," | ";" | ":" | "\" | <">
                     | "/" | "[" | "]" | "?" | "="
                     | "{" | "}" | SP | HTCTL            = <any US-ASCII  
control character
                        (octets 0 - 31) and DEL (127)>I see here exactly  
which characters are not allowedI'm going to try the setrawcookie and see  
what happens and if no success I will escape the characters myself. The  
issue seems to be with the'/' which is used by base64. The + seems ok...  
this is all assuming that the cookies use the grammar properly.Thanks  

Re: cookie spec

Jon Slaughter wrote:

Quoted text here. Click to load it

Have you thought instead of using:

    $encoded = urlencode(base64_encode($data));

This should create a string consisting of only alphanumeric data and '%'.

To go back the other way:

    $data = base64_decode(urldecode($encoded));

Toby A Inkster BSc (Hons) ARCS
Geek of ~ HTML/SQL/Perl/PHP/Python/Apache/Linux

Re: cookie spec

Quoted text here. Click to load it

I thought about it... but I didn't know if it would work. probably should  
have tried it...

in any case, doesn't setcookie do that anyways? or does it just encode it  
and not decode it? just kinda getting tired of trying everything as its not  
easy to debug the cookies since I cannot set a cookie in the zend debugger  
for some reason.

it does seem to be working now though when I have converted /, =, and + into  
#, - and _..

I assume that urlencode is idempotent? else it won't work if I use  
setrawcookie and it is not url decoding

Once I finish the code completely I'll go back and look at all this mess and  
see what I can do to improve it.


Site Timeline