otsukare Thoughts after a day of work

Production of Cookies for Web Developers

Some cookies are really bad for your health and you have to be careful when you cook them. A very simple cookie looks like that when the server sends it to the client:

Set-Cookie: cookieName=cookieValue

but more often it will looks like this

Set-Cookie: cookieName=cookieValue; Path=/; Domain=example.org

Sometimes they will contain an Expire date.

Set-Cookie: cookieName=cookieValue; Expires=Wed, 09 Jun 2021 10:18:14 GMT

Cookies are defined in the specification 2695 and now in the specification HTTP State Management Mechanism currently written by Adam Barth. The production rules for the servers are strict and defined in the section 4.1. Set-Cookie.

These are a set of rules you have to check when you are coding either javascript or your Web framework to produce cookies.

  • Set-Cookie:SP The space is important. US-ASCII SP (octet 32)
  • cookieName any US-ASCII characters except control characters (octets 0-31) and DEL (octet 127) and, the following characters “(“, “)”, “\<”, “>”, “@”, “,”, “;”, “:”, “", “/”, “[“, “]”, “?”, “=”, “{“, “}”, the double quote character itself, US-ASCII SP (octet 32) or the tabulation (octet 9)
  • = no space before and after.
  • cookieValue same than cookieName

Then optionally you can add

  • ;SP The space is important

Just a little reminder because this morning I stumbled across a cookie which was badly defined on a Website:

Set-Cookie: {$aaa|xxx:"zzz"}=foo

the characters {, }, " and : are forbidden here.