Long story short, I started on a search this week to find out exactly why my site (ColdFusion running on Macromedia JRUN) wouldn't set cookies with certain reserved names (Expires, secure, path etc). I ended up in the javax.servlet.http.Cookie class which right there in the constructor filters with the following code:
if (!isToken(name)
|| name.equalsIgnoreCase("Comment") // rfc2019
|| name.equalsIgnoreCase("Discard") // 2019++
|| name.equalsIgnoreCase("Domain")
|| name.equalsIgnoreCase("Expires") // (old cookies)
|| name.equalsIgnoreCase("Max-Age") // rfc2019
|| name.equalsIgnoreCase("Path")
|| name.equalsIgnoreCase("Secure")
|| name.equalsIgnoreCase("Version")
|| name.startsWith("$")
Not all the lines have comments, but the ones that do either referene RFC (which the Java Docs also reference) or the "old cookie" behavior of older browsers.
Here's the thing, I've Read RFC 2019 and I don't think it is that strict. http://www.faqs.org/rfcs/rfc2109.html
These are some applicable excerpts what I can find:
*** "[Cookie] NAMEs that begin with $ are reserved for other uses and must not be used by applications."
*** In section 4.1 it states that attribute values pairs where the attributes must be a token confirming to RFC 2068.
*** RFC 2068 (http://www.faqs.org/rfcs/rfc2068.html) says a token is 1 or more characters that are anything BUT CTLs or tspecials.
CTLs = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
tspecials = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT
SP = <US-ASCII SP, space (32)>
HT = <US-ASCII HT, horizontal-tab (9)>
*** Futhermore, " The NAME=VALUE attribute-value pair must come first in each cookie. "
*** And, "When [the server] receives a Cookie header, the origin server should treat cookies with NAMEs whose prefix is $ specially, as an attribute for the adjacent . The value for such a NAME is to be interpreted as applying to the lexically (left-to-right) most recent cookie whose name does not have the $ prefix."
Sooooooo...
I get the !isToken(name) part, and I understand the name.startsWith("$") part, why who says a cookie name can't be "Comment", "Discard", "Domain", "Expires", "Max-Age", "Path", "Secure", or "Version"?
If the name=value pair has to come first, and the ONLY place you can find a semicolon is in the delimiter between cookies, then it shouldn't be any problem to parse:
Server to client
Set-Cookie: domain=foobar;domain=.yoursever.com
Client to server
Cookie: domain=foobar;$domain=.yourserver.com
So could someone explain why we disallow those cookie names, when according to the RFC they should be fine?
Thanks.
~Brad