0

It's not a question about sense but about specification.

A HTTP cookie must be set like

Set-Cookie: <cookieValue>[; <attribute>][; <attribute>]

cookieValue is recommended to be set as

<key>=<value>

but can be a single value without an equal sign, because the equal sign is not recommended by specification but by common usage. So if I set a cookie like

Set-Cookie: foobar

Does foobar will be set as the cookie key or the cookie value?

I'm developing a CURL wrapper and I'm on the cookie implementation right now. But the handling of a equal-sign-less cookie value isn't quite obvious to do it right.

If I missed some specification answering my question I'd be happy to get links into that specification.

codekandis
  • 712
  • 1
  • 11
  • 22

1 Answers1

0

If there is no equal sign in the cookie value the set-cookie header must be ignored completely.

Explanation

https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3

A user agent MUST use an algorithm equivalent to the following algorithm to parse a set-cookie-string:

This states the following steps are the way how to implement it.

  1. If the name-value-pair string lacks a %x3D ("=") character, then the name string is empty, and the value string is the value of name-value-pair.

    Otherwise, the name string consists of the characters up to, but not including, the first %x3D ("=") character, and the (possibly empty) value string consists of the characters after the first %x3D ("=") character.

[...]

  1. If both the name string and the value string are empty, ignore the set-cookie-string entirely.

There might be an inconsistency with that steps.

Will the cookie set with a value without a name? Or will the set-cookie-string be ignored completely.

In fact these steps must been read as mentioned as "steps of implementation". So the 4th step applies AFTER the 2nd step. After the 2nd step the cookie name is empty and in the 4th step that empty cookie name leads to the conclusion to ignore the set-cookie header.

jonrsharpe
  • 115,751
  • 26
  • 228
  • 437
codekandis
  • 712
  • 1
  • 11
  • 22
  • 1
    I disagree with your interpretation. Step 4 says ignore the set-cookie-string if **both** name string and value string are empty. Step 2 says for a name-value-pair string that lacks `=`, like `foobar`, the name string is empty but the value string is _not_. I think the only values that would be completely ignored are an entirely empty string (no equals, so name string is empty, but then the value string is also empty) and `=` (equals, so the name string is the empty string before it and the value string is the empty string after it). – jonrsharpe May 15 '22 at 22:33
  • @jonrsharpe You're right. I messed up with the parallel opened older version of the same RFC https://www.rfc-editor.org/rfc/rfc6265#section-5.2 `5. If the name string is empty, ignore the set-cookie-string entirely.` Thank you for mentioning that. – codekandis May 15 '22 at 22:42
  • @jonsharpe So `name=value` is clear. `name=` is a valid cookie with a name set. `=value` is a valid cookie with a value set. And `` and `=` are ignored then. – codekandis May 15 '22 at 22:45
  • Hmmm ... what I didn't realize until now is that the menitoned RFC in my answer is still DRAFT and in fact not the latest one, which would be https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-10. And both suggested draft implementations differ. So the best way is to rely on https://www.rfc-editor.org/rfc/rfc6265#section-5.2 – codekandis May 16 '22 at 00:07