What are allowed characters in cookies

Question

What are the allowed characters in both cookie name and value  Are they same as URL or some common subset   Reason I m asking is that I ve recently hit some strange behavior with cookies that have - in their name and I m just wondering if it s something browser specific or if my code is faulty

User · Answer

If you are using the variables later  you ll find that stuff like path actually will let accented characters through  but it won t actually match the browser path  For that you need to URIEncode them  So i e  like this     const encodedPath   encodeURI myPath     document cookie    use pwa true  domain   location host   path   encodedPath      So the  allowed  chars  might be more than what s in the spec  But you should stay within the spec  and use URI-encoded strings to be safe

User · Answer

There are 2 versions of cookies specifications  1  Version 0 cookies aka Netscape cookies   2  Version 1 aka RFC 2965 cookies In version 0 The name and value part of cookies are  sequences of characters  excluding the semicolon  comma  equals sign  and whitespace  if not used with double quotes  version 1 is a lot more complicated you can check it here In this version specs for name value part is almost same except name can not start with   sign

User · Answer

One more consideration  I recently implemented a scheme in which some sensitive data posted to a PHP script needed to convert and return it as an encrypted cookie  that used all base64 values I thought were guaranteed  safe   So I dutifully encrypted the data items using RC4  ran the output through base64 encode  and happily returned the cookie to the site  Testing seemed to go well until a base64 encoded string contained a     symbol  The string was written to the page cookie with no trouble  Using the browser diagnostics I could also verify the cookies was written unchanged  Then when a subsequent page called my PHP and obtained the cookie via the   COOKIE array  I was stammered to find the string was now missing the     sign  Every occurrence of that character was replaced with an ASCII space       Considering how many similar unresolved complaints I ve read describing this scenario since then  often siting numerous references to using base64 to  safely  store arbitrary data in cookies  I thought I d point out the problem and offer my admittedly kludgy solution   After you ve done whatever encryption you want to do on a piece of data  and then used base64 encode to make it  cookie-safe   run the output string through this        from browser to PHP  substitute troublesome chars with     other cookie safe chars  or vis-versa     function fix64  inp         out   inp      for  i   0   i  lt  strlen  inp    i               c    inp  i           switch   c                case        c        break     definitly won t transfer              case        c        break               case        c        break       symbol seems like a bad idea             case        c        break               default  continue                         out  i     c                return  out          Here I m simply substituting      and I decided     as well  with other  cookie safe  characters  before returning the encoded value to the page  for use as a cookie  Note that the length of the string being processed doesn t change  When the same  or another page on the site  runs my PHP script again  I ll be able to recover this cookie without missing characters  I just have to remember to pass the cookie back through the same fix64   call I created  and from there I can decode it with the usual base64 decode    followed by whatever other decryption in your scheme   There may be some setting I could make in PHP that allows base64 strings used in cookies to be transferred back to to PHP without corruption  In the mean time this works  The     may be a  legal  cookie value  but if you have any desire to be able to transmit such a string back to PHP  in my case via the   COOKIE array   I m suggesting re-processing to remove offending characters  and restore them after recovery  There are plenty of other  cookie safe  characters to choose from

User · Answer

Here it is  in as few words as possible  Focus on characters that need no escaping       For cookies    abdefghijklmnqrstuvxyzABDEFGHIJKLMNQRSTUVXYZ0123456789     amp      -    lt  gt                  For urls   abdefghijklmnqrstuvxyzABDEFGHIJKLMNQRSTUVXYZ0123456789 -     amp                 For cookies and urls   intersection     abdefghijklmnqrstuvxyzABDEFGHIJKLMNQRSTUVXYZ0123456789   amp      -        That s how you answer       Note that for cookies  the   has been removed because it is   usually used to set the cookie value    For urls this the   was kept  The intersection is obviously without    var chars    abdefghijklmnqrstuvxyz   chars    chars toUpperCase      0123456789        amp      -          Turns out escaping still occuring and unexpected happening  especially in a Java cookie environment where the cookie is wrapped with double quotes if it encounters the last characters    So to be safe  just use A-Za-z1-9  That s what I am going to do

User · Answer

In ASP Net you can use System Web HttpUtility to safely encode the cookie value before writing to the cookie and convert it back to its original form on reading it out      Encode HttpUtility UrlEncode cookieData       Decode HttpUtility UrlDecode encodedCookieData     This will stop ampersands and equals signs spliting a value into a bunch of name value pairs as it is written to a cookie

User · Answer

I think it s generally browser specific  To be on the safe side  base64 encode a JSON object  and store everything in that  That way you just have to decode it and parse the JSON  All the characters used in base64 should play fine with most  if not all browsers

User · Answer

Years ago MSIE 5 or 5 5  and probably both  had some serious issue with a  -  in the  HTML block if you can believe it   Alhough it s not directly related  ever since we ve stored an MD5 hash  containing letters and numbers only  in the cookie to look up everything else in server-side database

User · Answer

There is another interesting issue with IE and Edge  Cookies that have names with more than 1 period seem to be silently dropped  So This works       cookie name a valuea   while this will get dropped     cookie name a valuea

User · Answer

that s simple   A  lt cookie-name gt  can be any US-ASCII characters except control characters  CTLs   spaces  or tabs  It also must not contain a separator character like the following       lt   gt             quot                  A  lt cookie-value gt  can optionally be set in double quotes and any US-ASCII characters excluding CTLs  whitespace  double quotes  comma  semicolon  and backslash are allowed  Encoding  Many implementations perform URL encoding on cookie values  however it is not required per the RFC specification  It does help satisfying the requirements about which characters are allowed for  though   Link  https   developer mozilla org en-US docs Web HTTP Headers Set-Cookie Directives

User · Answer

Newer rfc6265 published in April 2011   cookie-header    Cookie   OWS cookie-string OWS cookie-string   cookie-pair        SP cookie-pair   cookie-pair    cookie-name     cookie-value cookie-value    cookie-octet     DQUOTE  cookie-octet DQUOTE    cookie-octet    x21    x23-2B    x2D-3A    x3C-5B    x5D-7E                      US-ASCII characters excluding CTLs                       whitespace DQUOTE  comma  semicolon                       and backslash   If you look to  bobince answer you see that newer restrictions are more strict

User · Answer

I ended up using   cookie value   encodeURIComponent my string     and  my string   decodeURIComponent cookie value     That seems to work for all kinds of characters  I had weird issues otherwise  even with characters that weren t semicolons or commas

User · Answer

this one s a quickie    You might think it should be  but really it s not at all      What are the allowed characters in both cookie name and value    According to the ancient Netscape cookie spec the entire NAME VALUE string is      a sequence of characters excluding semi-colon  comma and white space    So - should work  and it does seem to be OK in browsers I ve got here  where are you having trouble with it   By implication of the above      is legal to include  but potentially ambiguous  Browsers always split the name and value on the first   symbol in the string  so in practice you can put an   symbol in the VALUE but not the NAME    What isn t mentioned  because Netscape were terrible at writing specs  but seems to be consistently supported by browsers    either the NAME or the VALUE may be empty strings if there is no   symbol in the string at all  browsers treat it as the cookie with the empty-string name  ie Set-Cookie  foo is the same as Set-Cookie   foo  when browsers output a cookie with an empty name  they omit the equals sign  So Set-Cookie   bar begets Cookie  bar  commas and spaces in names and values do actually seem to work  though spaces around the equals sign are trimmed control characters   x00 to  x1F plus  x7F  aren t allowed   What isn t mentioned and browsers are totally inconsistent about  is non-ASCII  Unicode  characters    in Opera and Google Chrome  they are encoded to Cookie headers with UTF-8  in IE  the machine s default code page is used  locale-specific and never UTF-8   Firefox  and other Mozilla-based browsers  use the low byte of each UTF-16 code point on its own  so ISO-8859-1 is OK but anything else is mangled   Safari simply refuses to send any cookie containing non-ASCII characters    so in practice you cannot use non-ASCII characters in cookies at all  If you want to use Unicode  control codes or other arbitrary byte sequences  the cookie spec demands you use an ad-hoc encoding scheme of your own choosing and suggest URL-encoding  as produced by JavaScript s encodeURIComponent  as a reasonable choice   In terms of actual standards  there have been a few attempts to codify cookie behaviour but none thus far actually reflect the real world    RFC 2109 was an attempt to codify and fix the original Netscape cookie spec  In this standard many more special characters are disallowed  as it uses RFC 2616 tokens  a - is still allowed there   and only the value may be specified in a quoted-string with other characters  No browser ever implemented the limitations  the special handling of quoted strings and escaping  or the new features in this spec  RFC 2965 was another go at it  tidying up 2109 and adding more features under a    version 2 cookies    scheme  Nobody ever implemented any of that either  This spec has the same token-and-quoted-string limitations as the earlier version and it s just as much a load of nonsense  RFC 6265 is an HTML5-era attempt to clear up the historical mess  It still doesn t match reality exactly but it s much better then the earlier attempts   it is at least a proper subset of what browsers support  not introducing any syntax that is supposed to work but doesn t  like the previous quoted-string     In 6265 the cookie name is still specified as an RFC 2616 token  which means you can pick from the alphanums plus        amp    -         In the cookie value it formally bans the  filtered by browsers  control characters and  inconsistently-implemented  non-ASCII characters  It retains cookie spec s prohibition on space  comma and semicolon  plus for compatibility with any poor idiots who actually implemented the earlier RFCs it also banned backslash and quotes  other than quotes wrapping the whole value  but in that case the quotes are still considered part of the value  not an encoding scheme   So that leaves you with the alphanums plus        amp      -    lt   gt               In the real world we are still using the original-and-worst Netscape cookie spec  so code that consumes cookies should be prepared to encounter pretty much anything  but for code that produces cookies it is advisable to stick with the subset in RFC 6265

User · Answer

you can not put     in the value field of a cookie  the name that will be set is the string until the     in most browsers

[cookies] What are allowed characters in cookies?

Examples related to cookies