All geek questions in one place

Why are illegal cookies sent by the browser and accepted by web servers (rfc 2109, 2965)?

According to RFC 2109, cookie 2965 can be either an HTTP token or a quotation mark, and the token cannot contain non-ASCII characters.

However, I found that the Firefox browser (3.0.6) sends cookies using the utf-8 as-is line and the three web servers I tested (apache2, lighttpd, nginx) pass this line as an application.

For example, a raw request from a browser:

$ nc -l -p 8080 GET /hello HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.9) Gecko/2009050519 Firefox/2.0.0.13 (Debian-3.0.6-1) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: windows-1255,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: wikipp=1234; wikipp_username=ארתיום Cache-Control: max-age=0

And the original response of the apache, nginx and lighttpd HTTP_COOKIE CGI HTTP_COOKIE :

 wikipp=1234; wikipp_username=ארתיום

What am I missing?

+4
source share
2 answers

RFC 2109 (February 1997) is deprecated and has been replaced by RFC 2965 (October 2000) according to the Standards of the Official Internet Protocol (STD 1, RFC 5000) .

You may also be interested in a later draft on March 7, 2010 , to revise 2965.

The only token definition in 2965 is:

unofficially, a sequence of non-specific, non-white character spaces

I would not consider that full UTF-8 is forbidden by this definition - only characters that might be mistaken for control / syntax characters.

+3
source

RFC 2965 is deprecated by RFC 6265 . According to this rfc:

The cookie name must be a token that consists of printable ascii characters without () <> @,;: \ "/ []? = {} SPACE TAB

The cookie value consists of printable ascii characters without SPACE ",; \ with the ability to surround quotes

+1
source

Source: https://habr.com/ru/post/1310641/

More articles:


All Articles