-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hapi does not seem to like "
and {
to be mixed in cookies.
#2588
Comments
I might be completely off base, just based off the rfcs.. http://www.ietf.org/rfc/rfc2616.txt
So, I would assume |
@ldesplat unfortunately that doesn't work either. Nor does it work if you escape the We are thinking about urlencoding the value as a workaround. But we'd like to fundamentally understand if this is a bug in hapi or not. |
hapi enforces proper RFC compliance. If you want to put silly values in there that violate the standard just set the strict flag to false. |
@hueniverse as far as we can tell we are escaping/encoding our JSON values in a way that is compliant with the RFC. hapi is thus far the only server technology that dislikes the cookies. Can you provide the proper escaping syntax for a cookie value of I have tried search Google, Stack Overflow, etc., and the answers I have found are not compatible with hapi. |
There is no recognized escaping syntax for cookie values, as per RFC6265: https://tools.ietf.org/html/rfc6265#section-4.1.1. Sorrounding the value with double-qoutes is valid, but purely cosmetic. |
@josheverett Just set hapi to b64json your cookies and you'll be fine. There is no way to escape certain characters, you have to encode them. hapi already has support for doing this for you. |
@hueniverse great, thank you! Any reason you would recommend base64 over, say, url encoding? |
Less to worry about standard compliance. |
We're trying to use cookies whose values are JSON with hapi. There have been other issues opened on this topic, but the solutions were to simply to sweep it under the rug by telling hapi to not serve a 400 when it detects an "invalid" cookie.
But we want to understand (and possibly help fix) this issue. It seems deeper than JSON -- hapi generally doesn't seem to like when a cookie value contains both
"
and{
(or}
), and we can't figure out a way to escape these values that hapi will accept.Observe these test cases:
To test out these out, fire up a barebones hapi server that just responds with "hello world" to all requests, then use your browser's console to set the "test" cookie in each test case before hitting the server. Or use a REST client or whatever floats your boat.
The only test case I found where hapi would serve a 200 with both of these characters in the cookie was case 05.
Using the example of setting a cookie via the browser's
document.cookie
, what is the right way to escape/encode JSON values so that hapi will accept it?Or, more generally, why is case 05 valid to hapi, but not case 06? Is this intended behavior?
The text was updated successfully, but these errors were encountered: