base64 cookies about cookies HOT 7 OPEN

The answer is they are URL-encoded, or not. It's up to the server, as cookie values are opaque ASCII values (see RFC 2965). The server just has to encode it the same way it wants to receive the value; the client does not do anything with the value. I've only seen servers encoding into UTF-8 and escaping the values (with, for example, escape or encodeURIComponent).

But yea, this module could certainly base64-encode the values or URL-encode the values, as long as it decodes them in the same way :D

from cookies.

to avoid issues with cookie strings with ; and stuff.

Aren't the cookie's name and value URL-encoded (thus wouldn't have the literal ; over the wire)?

from cookies.

no idea. some tests would help. i think i just read somewhere that you shouldn't send certain values as cookie values. i'm sure most browsers handle this case anyways

from cookies.

meh if we don't need to do it then we shouldn't.

if we're sure node isn't retarded in this aspect, then we can close it

from cookies.

if we're sure node isn't retarded in this aspect

Now that, I'm not sure about. I already hate how it special handles Cookie header into an array of the headers...

from cookies.

It looks like node.js shouldn't be touching the values: https://github.com/joyent/node/blob/v0.10.28/lib/http.js#L395-L399

from cookies.

@dougwilson I did some additional research. RFC2109 specifies this grammar:

 The two state management headers, Set-Cookie and Cookie, have common
 syntactic properties involving attribute-value pairs.  The following
 grammar uses the notation, and tokens DIGIT (decimal digits) and
 token (informally, a sequence of non-special, non-white space
 characters) from the HTTP/1.1 specification [RFC 2068] to describe
 their syntax.

 av-pairs        =       av-pair *(";" av-pair)
 av-pair         =       attr ["=" value]        ; optional value
 attr            =       token
 value           =       word
 word            =       token | quoted-string

You'll note it calls out "token" as from HTTP/1.1, which states this:

      token          = 1*<any CHAR except CTLs or tspecials>

      tspecials      = "(" | ")" | "<" | ">" | "@"
                     | "," | ";" | ":" | "\" | <">
                     | "/" | "[" | "]" | "?" | "="
                     | "{" | "}" | SP | HT

Therefore base64-encoded values when they include "=" need to be quoted strings or URL-encoded. I would recommend always using quoted-strings as that seems like it should always work for a conforming client.

from cookies.