On Mon, 10 Mar 2003, Manni Wood wrote:
> 1. I looked into the cookie RFC, which refers to the HTTP RFC on what > the definition of a quoted value is. Interestingly, a quoted value is > not allowed to contain quotes, not even escaped quotes. Can someone > correct me on my assumption if I am wrong? More interestingly, I see no > reason why an unquoted value cannot contain unescaped quotes --- it's > just not allowed to contain spaces. Aye - bear in mind the IETF dogma; be strict in what you send; lesuire in what you accept. So in this case - we should make sure that any cookies we send stick to the limited/strict definition; but should be able to accept anything without spaces/quoted. > 2. A valid cookie in the header does not need a value. Hence, you can > have, in the cookie header, a cookie name, followed by a semi-colon, > instead of the equal sign and value and *then* the semi-colon you would > expect. Right - and this you actually see in the wild. I think broadvision does this to do some clever browser detect. > 3. A valid cookie header can separate its cookie/value pairs with commas > as well as semi-colons, and can have space before and after the > semi-colons or commas. Yes - this is seen in the wild too. I think it is something Akamai or some other 'accelerator' does. > 4. A valid cookie/value pair can have space before and after the equal > sign. Yes - this is seen in the wild too. I've ran into this several times with walled-garden WAP gateways to the internet. > 5. My state machine, based on my extensive testing, gracefully handles > all the above assumptions, and also gracefully aborts searching > malformed cookie headers. The resulting state machine is not as simple > as I had hoped! Aye ! Looks good. Dw
