有效 Cookie 值的明确指南
我知道还有其他问题,但他们的答案似乎是假设而不是确定的。
我有限的理解是,cookie 值是:
- 分号已用于分隔单个 cookie 中的 cookie 属性。
- 等号用于分隔 cookie 名称和值;
- 冒号用于分隔标头内的多个 cookie。
还有其他“特殊”角色吗?
其他一些问答建议使用一个 base64 编码该值,但这当然可能包含等号,这当然是无效的。
我还看到一些建议,可以引用价值观,但这会导致其他问题。
- 特殊字符需要加引号吗?
- 带引号的值是否支持通常的反斜杠转义机制。
RFC 我读了一些 RFC,包括许多 cookie RFCS 中的一些,但我仍然不确定,因为存在对另一个 RFC 等的交叉引用,没有明确的简单解释或“回答”我的查询的示例。
希望没有人会说阅读 RFC,因为问题变成了哪个 RFC...?
我想我也读到不同的浏览器有稍微不同的规则,所以希望如果这很重要,请在您的答案中注意这一点。
I know there are other questions but they seem to have answers which are assumptions rather than being definitive.
My limited understanding is that cookie values are:
- semi-colons are already used to separate cookies attributes within a single cookie.
- equals signs are used to separate cookie names and values
- colons are used to separate multiple cookies within a header.
Are there any other "special" characters ?
Some other q/a suggest that one base64 encodes the value but this does of course may include equals signs which of course are not valid.
i have also seen some suggestions that values may be quoted this however leads to other questions.
- do the special characters need to be quoted ?
- do quoted values support the usual backslash escaping mechanisms.
RFC
I read a few RFCs including some of the many cookie RFCS but i am still unsure as there is cross reference to another RFC etc with no definitive simple explaination or sample that "answers" my query.
Hopefully no one will say read the RFC because the question becomes which RFC...?
I think i have also read that different browsers have slightly different rules so hopefully please note this in your answers if this matters.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
最新的 RFC 是 6265,它指出以前的 Cookie RFC 已过时。
RFC 中的语法规则如下:
因此:
特殊字符是空格字符、双引号、逗号、分号和反斜杠。等于不是特殊字符。
根本不能使用特殊字符,但值可以用双引号括起来。
不能引用特殊字符。
反斜杠不充当转义符。
由此可见,可以使用base-64编码,因为equals并不特殊。
最后,据我所知,定义了 RFC 6265 cookie 值,以便它们可以与实现任何 Cookie RFC 的任何浏览器一起使用。但是,如果您尝试使用不符合 RFC 6265(但可以说确实符合早期 RFC)的 cookie 值,您可能会发现 cookie 行为因浏览器的不同而异。
简而言之,只要符合 RFC 6265 的规定就可以了。
如果您需要传递包含任何禁止字符的 cookie 值,您的应用程序需要对这些值进行自己的编码和解码;例如使用base64。
The latest RFC is 6265, and it states that previous Cookie RFCs are obsoleted.
Here's what the syntax rules in the RFC say:
Thus:
The special characters are white-space characters, double quote, comma, semicolon and backslash. Equals is not a special character.
The special characters cannot be used at all, with the exception that double quotes may surround the value.
Special characters cannot be quoted.
Backslash does not act as an escape.
It follows that base-64 encoding can be used, because equals is not special.
Finally, from what I can tell, the RFC 6265 cookie values are defined so that they will work with any browser that implements any of the Cookie RFCs. However, if you tried to use cookie values that don't conform to RFC 6265 (but do arguably do conform to earlier RFCs), you may find that cookie behavior varies with different browsers.
In short, conform to the letter of RFC 6265 and you should be fine.
If you need pass cookie values that include any of the forbidden characters, your application needs to do its own encoding and decoding of the values; e.g. using base64.
这里提到了 base64,所以这里有一个在 cookie 中使用它的熟 cookie 解决方案。这些函数是关于 base64 的修改版本,它们只使用 [0-9a-zA-Z_-]
你可以将它用于 cookie 的名称和值部分,正如他们所说,是二进制安全的。
gzdeflate/gzinflate 收回了 base64 创建的 30% 左右的空间,无法抗拒使用它。请注意,php gzdeflate/gzinflate 仅在大多数托管公司中可用,并非全部。
There was the mention of base64, so here is a cooked cookie solution using that in cookies. The functions are about a modified version of base64, they only use [0-9a-zA-Z_-]
You can use it for both the name and value part of cookies, is binary safe, as they say.
The gzdeflate/gzinflate takes back 30% or so space created by base64, could not resist using it. Note that php gzdeflate/gzinflate is only available in most hosting companies, not all.