Ralf, all,
I have made the change that Ralf pointed out because I had to read a cookie value that was set by a Rails application and that was not URL-encoded. Thus, I'd question the claim that URL-encoding cookies is a "de facto standard". The HTTP standard does not mandate any standard encoding for cookies, but only restricts their character set.
I am open to a check similar to one that Ralf proposed, although I would have Hunchentoot generate an error when the application tries to set a cookie that contains invalid characters.
-Hans
On Wed, Feb 1, 2012 at 8:23 PM, Ralf Stoye stoye@stoye.com wrote:
As you can see on git, future hunchentoot versions will not url-encode/decode cookie-values anymore. Since this encoding is an de facto standard regarding php, java and perl, and it might break existing code, i would like to hear your opinion about that.
At a minimum i want to suggest to introduce a sanity-check on #'cookie-values throwing an error if someone tries to set the value to a nonconforming value (similar to the check on valid cookie-names). The following code is an example predicate:
(defun http-cookie-value-p (value) "Tests whether VALUE is a string which is a valid cookie-value according to RFC 6265" (and (stringp value) (not (some (lambda (char) (let ((cc (char-code char))) (or (< cc #x21) (= #x22 cc) (= #x2c cc) (= #x3b cc) (= #x5c cc) (> cc #x7e)))) value))))
the decision is a matter of performance versus simplicity: we could decide to always encode cookie values (eg. per base64 or url-encode, or both) or leave the decision and responsability to the application.
Regards, Ralf Stoye
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel