Cookie value encoding

2,315 views
Skip to first unread message

dirk

unread,
Mar 4, 2010, 4:42:20 PM3/4/10
to play-framework
It seems there is a defacto standard on the web to URL encode cookie
values, although there is no requirement to do so in the RFC.
An obvious use case is an email address stored in a cookie (the @
symbol gets mangled if it's not encoded)

For example:
- The jQuery cookie plugin calls encodeURIComponent(value) before
setting the cookie:
http://plugins.jquery.com/files/jquery.cookie.js.txt

- PHP automatically URL decodes cookie values:
http://php.net/manual/en/function.setcookie.php
"Note that the value portion of the cookie will automatically be
urlencoded when you send the cookie, and when it is received, it is
automatically decoded and assigned to a variable by the same name as
the cookie name. If you don't want this, you can use setrawcookie()
instead if you are using PHP 5."

The documentation for HttpClient also mentions the issue:
http://hc.apache.org/httpclient-3.x/cookies.html
"Since cookies are transfered as HTTP Headers they are confined to the
US-ASCII character set. Other characters will be lost or mangeled.
Cookies are typically set and read by the same server, so a custom
scheme for escaping non-ASCII characters can be used, for instance the
well-established URL encoding scheme. If cookies are used to transfer
data between server and client both parties must agree on the escaping
scheme used in a custom way. The HttpClient cookie implementation
provides no special means to handle non-ASCII characters nor does it
issue warnings."

So my question is, should Play automatically URL decode cookie values?

Guillaume Bort

unread,
Mar 4, 2010, 4:45:23 PM3/4/10
to play-fr...@googlegroups.com
I think so. It is not the case?

> --
> You received this message because you are subscribed to the Google Groups "play-framework" group.
> To post to this group, send email to play-fr...@googlegroups.com.
> To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.
>
>

dirk

unread,
Mar 5, 2010, 7:19:20 AM3/5/10
to play-framework
It doesn't seem to be the case in the version of play I'm using (1.1)
It seems that MutableHttpRequest doesn't url decode the cookie, and
neither does the Play code:

for (Cookie cookie : minaRequest.getCookies()) {
Http.Cookie playCookie = new Http.Cookie();
playCookie.name = cookie.getName();
playCookie.path = cookie.getPath();
playCookie.domain = cookie.getDomain();
playCookie.secure = cookie.isSecure();
playCookie.value = cookie.getValue();
request.cookies.put(playCookie.name, playCookie);
}


I've filed a bug:
https://bugs.launchpad.net/play/+bug/532589


On Mar 4, 7:45 pm, Guillaume Bort <guillaume.b...@gmail.com> wrote:
> I think so. It is not the case?
>

Reply all
Reply to author
Forward
0 new messages