Why Illegal cookies are send by Browser and received by web servers (rfc 2109, 2965)?
Posted
by Artyom
on Stack Overflow
See other posts from Stack Overflow
or by Artyom
Published on 2010-05-23T03:51:20Z
Indexed on
2010/05/23
4:40 UTC
Read the original article
Hit count: 331
Hello,
According to RFC 2109, 2965 cookie's value can be either HTTP token or quoted string, and token can't include non-ASCII characters.
- Cookie's RFC 2109 and RFC2965
- HTTP's RFC 2068 token definition: http://tools.ietf.org/html/rfc2068#page-16
However I had found that Firefox browser (3.0.6) sends cookies with utf-8 string as-is and three web servers I tested (apache2, lighttpd, nginx) pass this string as-is to the application.
For example, raw request from browser:
$ nc -l -p 8080
GET /hello HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.9) Gecko/2009050519 Firefox/2.0.0.13 (Debian-3.0.6-1)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1255,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: wikipp=1234; wikipp_username=??????
Cache-Control: max-age=0
And raw response of apache, nginx and lighttpd HTTP_COOKIE
CGI variable:
wikipp=1234; wikipp_username=??????
What do I miss? Can somebody explain me?
© Stack Overflow or respective owner