encode '(' and ')' at cookie value

[mastojun]

If server work as RFC 2109 (from RFC 2068). ( and ) characters in http header (also cookie value) are invalid

If send cookie value has ( or ) to tomcat 7.x. the value was cut before ( or ).

the reason was this code block.

So i suggest to add the line

value = value.replace(/[\(\)]/g, escape);

[FagnerMartinsBrack]

According to RFC 6265 (which obsoletes RFC 2965 which obsoletes RFC 2109), the parens are allowed in a cookie-octet.

We have plans to provide an optional write function to leave to the developer the burden to handle server-side incompatibilities, see #70.

It might be worth creating an issue in Tomcat regarding this, or wait until I get a proper response from the e-mail I send to the ietf's http-state group.

[mastojun]

thanks for your reply.

I think to offer backward compatibility (RFC 6265 and RFC 2109) was better than to provide an optional write function. (I think it is simply, only need is encoding more strictly)

Too many developer who will be using js-cookie (also jquery cookie plugin) will be trouble with this problem :'(

and tomcat is being implemented RFC 6256 at new version

[FagnerMartinsBrack]

@mastojun We will actually break backwards compatibility in v2 if we change it, since now it is documented how we encode cookies. The only thing we can do is to provide a way for developers to workaround it in their end.

I am glad to know Tomcat is working to be RFC 6265 compliant!
If you are using a Java-based server that is still not compliant with RFC 6265 you can try out the Java Cookie project. It is a project built for servlet containers that is consistent with RFC 6265 and has a similar API interface as js-cookie.

[mastojun]

@FagnerMartinsBrack Ok, I understand.
I have one more question. Do you have any plan to fix '(', ')' encoding problem at jquery.cookie 1.x version ?

[FagnerMartinsBrack]

I have one more question. Do you have any plan to fix '(', ')' encoding problem at jquery.cookie 1.x version ?

You mean start encoding it? jquery.cookie is not being maintained anymore, so there is no plan right now to change it. And even if we would change to start encoding parens, it would go against the spec, so I wouldn't rely on it.

If you really want to make it work in older versions of Tomcat I would wait to see if #71 will be landed (considering all these problems I am almost sure it will) or cherry-pick the commit 194c732 from #71 in a temporary fork and implement you own write converter.

[FagnerMartinsBrack]

@mastojun I have documented this problem, take a look here.

[mastojun]

@FagnerMartinsBrack

See this code or RFC 2068 page 16. %3C and %3E are not tokens, therefore tomcat 7.x can't read correctly.

for tomcat 7.x, custom write converter need to be fixed.

var Cookies = Cookies.withConverter({
  write: function (value) {
      return encodeURIComponent(value)
          .replace(/%(23|24|26|2B|5E|60|7C)/g, decodeURIComponent)
          .replace(/[\(\)]/g, escape);
  }
});

or to be quoted-string, tomcat implements is here.

[FagnerMartinsBrack]

or to be quoted-string, tomcat implements is here.

js-cookie does not support quoted-string for write operations. RFC 6265 does not explicitly specify any behavior for quoted-string and accepts different characters from RFC 2068, so we can't be sure if it will be correctly handled by all servers.

I have updated the snippet, see 7e628d2