GNOME Bugzilla – Bug 633632
Misparses quoted cookies
Last modified: 2010-10-31 16:19:29 UTC
I think this is a bug in libsoup. It was originally reported here: http://bugs.debian.org/583131 --- I use the following header to set a cookie: | Set-Cookie: auth="name=blank;sig=MZTJl0eYACEJB6L8ibIm4S6QK1k="; Secure epiphany lists the cookie with name "auth" and value '"name=blank', aka it splits it after the first ; within the value. However RFC 2109 and the referenced 2068 specifies this headers the following way. set-cookie = "Set-Cookie:" cookies cookies = 1#cookie cookie = NAME "=" VALUE *(";" cookie-av) VALUE = value value = word word = token | quoted-string quoted-string = ( <"> *(qdtext) <"> ) qdtext = <any TEXT except <">> TEXT = <any OCTET except CTLs, but including LWS> The most identical definition is given in RFC 2965 and 2616 for the Set-Cookie2 header. It even transmits it in this broken state (note the missing quote): | Cookie: I18N_LANGUAGE="de"; auth="name=blank
libsoup's behavior is correct. RFC 2109 is not the specification for cookies, it was an attempt to "fix" cookie parsing that was never widely adopted. 2109 is about to be obsoleted by a new RFC that *does* document the reality of cookies (and that requires the parsing that libsoup does). The current draft of that is http://tools.ietf.org/html/draft-ietf-httpstate-cookie-17
Thanks a lot for the explanation.