HTTP Cookies

This page documents my experience of using HTTP cookies in DisOrder.


RFC 2109 is the specification that everyone actually follows.

There is also RFC 2965, defining the Set-Cookie2 header, which officially supersedes RFC 2965, but it's not clear that it's implemented widely.

In practice there are a few things worth knowing that aren't in the RFC…


Quoted Values

Safari 3.0.4 doesn't parse quoted cookies correctly. I discovered this when I quoted a cookie because it contained semicolons; Safari truncated the cookie at the semicolon inside the quoted cookie. Similarly, it didn't bother to dequote the path, which I'd also quoted.

I was able to work around this by changing the characters used in my cookie to avoid the need for quoting, and not quoting the path.

But wait! The spec actually requires you to quote the path ("/" is not a valid character in a token in the RFC2068/RFC2616 rules). So if you want to work with Safari you have to breach the rules yourself.

WebKit bug #16699.

Cookie Paths

RFC 2109 s4.3.2 says that if a cookie specifies a path that is not a prefix of the request-URI then the browser must reject it. Most browsers sensibly interpret the path from the URL as being a prefix of itself, which allows programs to set cookies that will only be sent back to themselves.

However, Lynx for some reason compares the cookie path with the directory part of the URL, rather than the full path, and cookie path is not a prefix then it asks the user whether it should accept the cookie.

Debian bug #460108 (now fixed).

A Plea To Browser Authors

It would make developers' lives a lot easier if major browsers logged the reason that they rejected any given cookie. They don't necessarily have to bother the user about it (though some might prefer to if their user base is likely to know whether accepting the cookie is safe or not), a logfile somewhere would do fine.

(Also actually implementing the spec correctly would be nice!)

RJK | Contents