InfiniteLoop90 opened a new issue, #2054: URL: https://github.com/apache/shiro/issues/2054
### Search before asking - [x] I had searched in the [issues](https://github.com/apache/shiro/issues?q=is%3Aissue) and found no similar issues. ### Environment Java version: 17 ### Shiro version 2.0.0 ### What was the actual outcome? `SimpleCookie` doesn't do any encoding of Cookie values (or comments) when creating the `Set-Cookie` header. This causes browsers (or other web frameworks) to misinterpret or lose data. For example if the cookie has a name of `test` and a value of `ab;cd` the `Set-Cookie` header would that Shiro would build would start with `test=ab;cd;`. Browsers would then see the first semi-colon and interpret the value as `ab`. Other web frameworks would stop processing values at other characters too, like `@`. As per https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#attributes one approach is to percent-encode the cookie value: > Encoding: Many implementations perform [percent-encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding) on cookie values. However, this is not required by the RFC specification. The percent-encoding does help to satisfy the requirements of the characters allowed for `<cookie-value>`. I suspect that the `Comment` can/should also be encoded the same way. ### What was the expected outcome? Cookie values and comments should be URI-encoded so that browsers and other web frameworks don't misinterpret the values/comments. ### How to reproduce Use `SimpleCookie#buildHeaderValue` to create a `Set-Cookie` header value with a cookie name of `test`, a cookie value of `ab;cd`, and a cookie comment of `Some +=;@%comment`. The header string isn't URI-encoded the cookie value and comment: ```test=abc;d; Comment=Some +=;@%comment; Path=/; SameSite=lax``` The expected output would be to have the cookie value and comment URI-encoded: ```test=abc%3Bd; Comment=Some%20%2B%3D%3B%40%25comment; Path=/; SameSite=lax``` ### Debug logs _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@shiro.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@shiro.apache.org For additional commands, e-mail: issues-h...@shiro.apache.org