tags:

views:

209

answers:

3
+1  Q: 

ASP.NET fails to correctly handle comma delimited cookies

According to the RFC, individual cookies in the "Cookie" HTTP header may be separated by commas as well as by semicolons. However, ASP.NET does not parse the commas case correctly - it does not count comma as a separator, but considers it just part of the value.

For example If a client sends header Cookie: a=b, c=d, then the ASP.NET application will see just one cookie named "a" with value "b, c=d".

As a special case, the same thing happens when the client sends several Cookie headers (one for each cookie) instead of combining all cookies in one header. From HTTP perspective, this is completely valid, and in such case the effective value of the header should be concatenation of the values of all its instances separated by commas.

Does anybody know a workaround (or maybe a fix?) for this? I absolutely need to get this working, because I don't control the client.

P.S. It is ironic that, according to this thread, the .NET built-in HTTP client's (aka HttpWebRequest) behavior is just the opposite, and also causes problems. :-)

+1  A: 

The version you linked to is obsolete. This HTTP State Management Mechanism document is the latest and greatest and it specifies semi-colons. It does say that commas should be accepted for future compatibility, but this is not required:

Note: For backward compatibility, the separator in the Cookie header is semi-colon (;) everywhere. A server SHOULD also accept comma (,) as the separator between cookie-values for future compatibility.

Keltex  2010-03-07 00:07:12
Oh! Thank you very much for the link.This means, however, that the BlackBerry's browser is not made to standard. I have found that for images (NOTE: only for images!), it sends each cookie in a separate header, which causes ASP.NET (or IIS?) to concatenate them with commas (according to HTTP standard, if I'm not mistaken again), which in turn causes cookies to be parsed incorrectly.Please confirm that my logic is correct here, and I'll send it to RIM for consideration.
Fyodor Soikin  2010-03-07 03:04:14
A: 

I believe the simplest solution to getting the behavior desired (regardless of standards correctness) would be to create an HttpModule that would correctly parse this information from the HttpContext.Request.Headers and place corrected information in HttpContext.Request.Cookies.

gWiz  2010-03-07 00:24:05
Yep, this is what I ended up doing.
Fyodor Soikin  2010-03-07 03:00:49
A: 

Both RFC 2109 and RFC 2965 are known not to describe reality.

You should have a look at draft-ietf-httpstate-cookie which is a work product of the new IETF httpstate Working Group.

Julian Reschke  2010-03-07 09:24:50

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?