Allowed characters in cookies

Question

Hey everyone, this one's a quickie:

What are the the allowed characters in both cookie name and value? Are they same as URL or some common subset?

Reason I'm asking is that I've recently hit some strange behavior with cookies that have - in their name and I'm just wondering if it's something browser specific or if my code is faulty.

Answer 1

I think it's generally browser specific. To be on the safe side, base64 encode a JSON object, and store everything in that. That way you just have to decode it and parse the JSON. All the characters used in base64 should play fine with most, if not all browsers.

Answer 2

There are 2 versions of cookies specifications 1. Version 0 cookies aka Netscape cookies, 2. Version 1 aka RFC 2965 cookies In version 0 The name and value part of cookies are sequences of characters, excluding the semicolon, comma, equals sign, and whitespace, if not used with double quotes version 1 is a lot more complicated you can check it here In this version specs for name value part is almost same except name can not start with $ sign

Answer 3

According to the ancient Netscape cookie_spec:

This string is a sequence of characters excluding semi-colon, comma and white space.

By implication the = character is also disallowed in the name part. So - should work, and it does seem to be OK in browsers I've got here; where are you having trouble with it?

What that document doesn't remember to say, because Netscape were terrible at writing specs, was that control characters (\x00 to \x1F plus \x7F) aren't allowed, and support for non-ASCII characters is left unspecified.

What browsers do:

• in Opera and Google Chrome, non-ASCII characters are encoded into cookies with UTF-8;
• in IE, the machine's default code page is used (locale-specific and never UTF-8);
• Firefox (and other Mozilla-based browsers) use the low byte of each UTF-16 code point on its own (so ISO-8859-1 is OK but anything else is mangled);
• Safari simply refuses to send any cookie containing non-ASCII characters.

so in practice you cannot use non-ASCII characters in cookies at all. If you want to use Unicode, control codes or other arbitrary byte sequences you must use an ad-hoc encoding scheme of your own choosing. Most popular is UTF-8-inside-URL-encoding (as produced by JavaScript's encodeURIComponent).

There is another, proper internet standard for Cookies: RFC2965. In this standard many more special characters are disallowed, as it uses RFC2616 tokens (a - is still allowed there), and only the value may be specified in a quoted-string with other characters.

However you should ignore this spec because no browser implements anything in it. In the real world we are still using the original-and-worst Netscape cookie_spec.