Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: cookie name can't contain "[" and "]" #20429

Closed
mlaraluna opened this issue May 19, 2017 · 2 comments
Closed

net/http: cookie name can't contain "[" and "]" #20429

mlaraluna opened this issue May 19, 2017 · 2 comments
Labels
FrozenDueToAge help wanted NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.

Comments

@mlaraluna
Copy link

Golang 1.8, Ubuntu 16.04 64 Bit, Golang cannot using [ and ] for cookie name. for example
ck1 := http.Cookie{
Name: "[id]",
Value: "12345",
HttpOnly: true,
}
http.SetCookie(w, &ck1)

it will not be set,

it happen in httpserver and http client, for example this website ricardoalcala.com will set cookies that contain [ and ] in cookies name, if i make http request using cookiejar that cookie will not be save.
@bradfitz bradfitz changed the title Cookie name can't contain "[" and "]" net/http: cookie name can't contain "[" and "]" May 19, 2017
@bradfitz bradfitz added help wanted NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels May 19, 2017
@bradfitz
Copy link
Contributor

/cc @odeke-em @nigeltao @vdobler

@vdobler
Copy link
Contributor

vdobler commented May 20, 2017

From https://tools.ietf.org/html/rfc6265#section-4.1.1: cookie-name is a "token2 defined
in https://tools.ietf.org/html/rfc2616#section-2.2 which is:

token          = 1*<any CHAR except CTLs or separators>
separators     = "(" | ")" | "<" | ">" | "@"
                  | "," | ";" | ":" | "\" | <">
                  | "/" | "[" | "]" | "?" | "="
                  | "{" | "}" | SP | HT

So: works as intended as a valid cookie-name must contain neither "[" nor "]".

If ricardoalcala.com really tries to set cookies with [ or ] in the name, then it is
the fault of ricardoalcala.com. In that case it is still possible to access, parse
and handle the Set-Cookie header by hand and implement non-standard
behaviour.

@golang golang locked and limited conversation to collaborators May 20, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge help wanted NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bradfitz @kevinburke @vdobler @gopherbot @mlaraluna