Why Illegal cookies are send by Browser and received by web servers (rfc2109)?
- by Artyom
Hello,
According to RFC 2109 cookie's value can be either HTTP token or quoted string, and token can't include non-ASCII characters.
Cookie's RFC 2109: http://tools.ietf.org/html/rfc2109#page-3
HTTP's RFC 2068 token definition: http://tools.ietf.org/html/rfc2068#page-16
However I had found that Firefox browser (3.0.6) sends cookies with utf-8 string as-is
and three web servers I tested (apache2, lighttpd, nginx) pass this string as-is to the
application.
For example, raw request from browser:
$ nc -l -p 8080
GET /hello HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.9) Gecko/2009050519 Firefox/2.0.0.13 (Debian-3.0.6-1)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1255,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: wikipp=1234; wikipp_username=??????
Cache-Control: max-age=0
And raw response of apache, nginx and lighttpd HTTP_COOKIE CGI variable:
wikipp=1234; wikipp_username=??????
What do I miss?
Can somebody explain me?