Hapi does not seem to like " and { to be mixed in cookies.

[josheverett]

We're trying to use cookies whose values are JSON with hapi. There have been other issues opened on this topic, but the solutions were to simply to sweep it under the rug by telling hapi to not serve a 400 when it detects an "invalid" cookie.

But we want to understand (and possibly help fix) this issue. It seems deeper than JSON -- hapi generally doesn't seem to like when a cookie value contains both " and { (or }), and we can't figure out a way to escape these values that hapi will accept.

Observe these test cases:

01.  OK    document.cookie = 'test={}'
02.  OK    document.cookie = 'test=}{'
03.  OK    document.cookie = 'test="foo"'
04.  OK    document.cookie = 'test={foo:bar}'
05.  OK    document.cookie = 'test="{}"'
06.  FAIL  document.cookie = 'test={""}'
07.  FAIL  document.cookie = 'test={"foo"}'
08.  FAIL  document.cookie = 'test={"foo":"bar"}'
09.  FAIL  document.cookie = 'test={\"foo\":\"bar\"}'
10.  FAIL  document.cookie = 'test={\\"foo\\":\\"bar\\"}'
11.  FAIL  document.cookie = 'test={\"foo\"\:\"bar\"}'
12.  FAIL  document.cookie = 'test={\\"foo\\"\\:\\"bar\\"}'

To test out these out, fire up a barebones hapi server that just responds with "hello world" to all requests, then use your browser's console to set the "test" cookie in each test case before hitting the server. Or use a REST client or whatever floats your boat.

The only test case I found where hapi would serve a 200 with both of these characters in the cookie was case 05.

Using the example of setting a cookie via the browser's document.cookie, what is the right way to escape/encode JSON values so that hapi will accept it?

Or, more generally, why is case 05 valid to hapi, but not case 06? Is this intended behavior?

[ldesplat]

I might be completely off base, just based off the rfcs..

http://www.ietf.org/rfc/rfc2616.txt

These special characters MUST be in a quoted
   string to be used within a parameter value (as defined in section
   3.6).

       token          = 1*<any CHAR except CTLs or separators>
       separators     = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT

So, I would assume document.cookie = 'test="{\"foo\":\"bar\"}"' ?? Might need to escape it more. Or just base64 / urlencode it.

[josheverett]

@ldesplat unfortunately that doesn't work either. Nor does it work if you escape the {, :, and } characters.

We are thinking about urlencoding the value as a workaround. But we'd like to fundamentally understand if this is a bug in hapi or not.

[hueniverse]

hapi enforces proper RFC compliance. If you want to put silly values in there that violate the standard just set the strict flag to false.

[josheverett]

@hueniverse as far as we can tell we are escaping/encoding our JSON values in a way that is compliant with the RFC. hapi is thus far the only server technology that dislikes the cookies.

Can you provide the proper escaping syntax for a cookie value of {"foo":"bar"} set via document.cookie=... in the browser that hapi will tolerate?

I have tried search Google, Stack Overflow, etc., and the answers I have found are not compatible with hapi.

[kanongil]

There is no recognized escaping syntax for cookie values, as per RFC6265: https://tools.ietf.org/html/rfc6265#section-4.1.1. Sorrounding the value with double-qoutes is valid, but purely cosmetic.

[hueniverse]

@josheverett Just set hapi to b64json your cookies and you'll be fine. There is no way to escape certain characters, you have to encode them. hapi already has support for doing this for you.

[josheverett]

@hueniverse great, thank you!

Any reason you would recommend base64 over, say, url encoding?

[hueniverse]

Less to worry about standard compliance.