Why Illegal cookies are send by Browser and received by web servers (rfc 2109, 2965)?

Posted by Artyom on Stack Overflow See other posts from Stack Overflow or by Artyom
Published on 2010-05-23T03:51:20Z Indexed on 2010/05/23 4:40 UTC
Read the original article Hit count: 327

Filed under:

cookies

|

web-server

|

rfc

Hello,

According to RFC 2109, 2965 cookie's value can be either HTTP token or quoted string, and token can't include non-ASCII characters.

Cookie's RFC 2109 and RFC2965
HTTP's RFC 2068 token definition: http://tools.ietf.org/html/rfc2068#page-16

However I had found that Firefox browser (3.0.6) sends cookies with utf-8 string as-is and three web servers I tested (apache2, lighttpd, nginx) pass this string as-is to the application.

For example, raw request from browser:

$ nc -l -p 8080
GET /hello HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.9) Gecko/2009050519 Firefox/2.0.0.13 (Debian-3.0.6-1)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1255,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: wikipp=1234; wikipp_username=??????
Cache-Control: max-age=0

And raw response of apache, nginx and lighttpd HTTP_COOKIE CGI variable:

wikipp=1234; wikipp_username=??????

What do I miss? Can somebody explain me?

© Stack Overflow or respective owner

Related posts about cookies

ASP.NET Cookies

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
Cookies are domain specific and cannot be used across different network domains. The only domain that can read a cookie is the domain that sets it. It does not matter what domain name you set.Cookies are used to store small pieces of information on a client machine. A cookie can store only up to 4… >>> More
How to read/write cookies in asp.net

as seen on Samir ASP.NET with C# Technology - Search for 'Samir ASP.NET with C# Technology'
Writing Cookies Response.Cookies["userName"].Value = "patrick"; Response.Cookies["userName"].Expires = DateTime.Now.AddDays(1); HttpCookie aCookie = new HttpCookie("lastVisit"); aCookie.Value = DateTime.Now.ToString(); aCookie.Expires = DateTime.Now.AddDays(1); Response.Cookies.Add(aCookie); Reading… >>> More
Javascript cookies vs php cookies

as seen on Stack Overflow - Search for 'Stack Overflow'
Is there a difference between javascript cookies and php cookies? >>> More
Clearing C#'s WebBrowser control's cookies for all sites WITHOUT clearing for IE itself

as seen on Stack Overflow - Search for 'Stack Overflow'
Hail StackOverflow! The short version of what I'm trying to do is in the title. Here's the long version. I have a bit of a complex problem which I'm sure I will receive a lot of guesses as a response to. In order to keep the well-intended but unfortunately useless guesses to a minimum, let me first… >>> More
How to add multiple cookies to Response in WCF / REST service

as seen on Stack Overflow - Search for 'Stack Overflow'
I have access to WebOperationContext and can add one cookie by doing this: WebOperationContext.Current.OutgoingResponse.Headers.Add("Set-Cookie: foo_a=bar_a"); However if I call that several times, e.g.: WebOperationContext.Current.OutgoingResponse.Headers.Add("Set-Cookie: foo_a=bar_a"); WebOperationContext… >>> More

Related posts about web-server

Embedded Web Server Vs External Web Server

as seen on Programmers - Search for 'Programmers'
So I've thought of creating a web application in either Lisp or another functional language and was thinking of embedding the web server into the application (have my application handle the HTTP requests). I don't see any issues with that, however, I'm new to creating web applications (and in the… >>> More
data replication from a production web server back to the staging web server

as seen on Server Fault - Search for 'Server Fault'
Have two web servers, development/staging and production. Code and some documentation is moved from the staging area to production either through on-demand jobs or nightly via a global replication job. The production server of course sits isolated in a DMZ. There is some content that gets uploaded… >>> More
HTTP web server and web server

as seen on Stack Overflow - Search for 'Stack Overflow'
Is there any difference between 'HTTP web server' and 'web server' or both are same? >>> More
Move wordpress from home web server to web server hosting account

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I've installed and tested Wordpress configurations on my home server which I use as my test server. Is it possible to upload everything, including Wordpress, from my home web server to my hosting account so it will work instantly there? Of course I need to change the database name, password,… >>> More
Why is this mod_rewrite RewriteRule directive not working in the .htaccess file?

as seen on Server Fault - Search for 'Server Fault'
I've got a site that was hosted on a linux el cheapo hosting service that I'm migrating to my Mac OS X 10.5 Leopard Server server running Apache 2.2.8 & PHP 5.2.5 w/rewrite_module enabled and AllowOverride All, but I'm running into an issue with the following lines in the .htaccess file: RewriteEngine… >>> More