为什么带有空格的 cookie 值会带引号到达客户端? [英] Why do cookie values with whitespace arrive at the client side with quotes?

问题描述

我是一名 .NET 开发人员，开始涉足 Java.

I'm a .NET developer starting to dabble in Java.

在 .NET 中，我可以将 cookie 的值设置为包含空格的字符串:new HttpCookie("myCookieName", "my value") - 当我在客户端 (JavaScript) 读取该值时，我得到了我期望的值(我的值).

In .NET, I can set the value of a cookie to a string with white space in it: new HttpCookie("myCookieName", "my value") - and when I read that value on the client side (JavaScript), I get the value I expected (my value).

如果我在 Java servlet 中做同样的事情 - new Cookie("myCookieName", "my value")，我得到的值包括双引号(my value").

If I do the same thing in a Java servlet - new Cookie("myCookieName", "my value"), I get the value including the double quotes ("my value").

为什么不同?我错过了什么吗?人们如何在 Java 世界中处理这个问题?您是否对值进行编码，然后在客户端进行解码?

Why the difference? Am I missing something? How do people handle this in the Java world? Do you encode the value and then you decode on the client side?

推荐答案

当您使用 Cookie#setValue(),

对于版本 0 cookie，值不应包含空格、方括号、圆括号、等号、逗号、双引号、斜线、问号、at 符号、冒号和分号.空值在所有浏览器上的行为方式可能不同.

With Version 0 cookies, values should not contain white space, brackets, parentheses, equals signs, commas, double quotes, slashes, question marks, at signs, colons, and semicolons. Empty values may not behave the same way on all browsers.

然后普通容器将 cookie 隐式设置为版本 1(RFC 2109 规范)而不是默认设置版本 0(Netscape 规范).该行为不是由 Servlet API 指定的，容器可以自由地实现它(例如，它可能会抛出一些 IllegalArgumentException).据我所知，Tomcat、JBoss AS 和 Glassfish 在隐式更改 cookie 版本方面的行为完全相同.至少对于 Tomcat 和 JBoss AS，这是修复这个安全问题.

then the average container will implicitly set the cookie to version 1 (RFC 2109 spec) instead of the default version 0 (Netscape spec). The behaviour is not specified by the Servlet API, the container is free to implement it (it may for example throw some IllegalArgumentException). As far as I know, Tomcat, JBoss AS and Glassfish behave all the same with regard to implicitly changing the cookie version. For at least Tomcat and JBoss AS this is the consequence of fixes for this security issue.

第 1 版 cookie 如下所示:

A version 1 cookie look like this:

name="value with spaces";Max-Age=3600;Path=/;Version=1

版本 0 兼容的 cookie 如下所示:

while a version 0 compatible cookie look like this:

name=value%20with%20spaces;Expires=Mon, 29-Aug-2011 14:30:00 GMT;Path=/

(注意 URL 编码的值对版本 0 有效)

请注意，Microsoft Internet Explorer 不支持版本 1 cookie.即使不是当前的 IE 11 版本.它会将引号解释为整个 cookie 值的一部分，并相应地处理和返回它.它不支持 Max-Age 属性，它会完全忽略它，这会导致 cookie 的生命周期默认为浏览器会话.您显然是在使用 IE 来测试您的 web 应用程序的 cookie 处理.

Important note is that Microsoft Internet Explorer doesn't support version 1 cookies. Even not the current IE 11 release. It'll interpret the quotes being part of the whole cookie value and will treat and return that accordingly. It does not support the Max-Age attribute and it'll ignore it altogether which causes that the cookie's lifetime defaults to the browser session. You was apparently using IE to test the cookie handling of your webapp.

为了也支持 MSIE，如果 cookie 值可能包含对版本 0 无效的字符，您确实需要自己对 cookie 值进行 URL 编码和 URL 解码.

To support MSIE as well, you really need to URL-encode and URL-decode the cookie value yourself if it contains possibly characters which are invalid for version 0.

Cookie cookie = new Cookie(name, URLEncoder.encode(value, "UTF-8"));
// ...

和

String value = URLDecoder.decode(cookie.getValue(), "UTF-8"));
// ...

为了为全球受众支持第 1 版 cookie，您真的要等待 Microsoft 修复缺少 MSIE 支持的问题，并且修复后的浏览器已成为主流.换句话说，这需要年龄(更新:截至目前，5 年后，它似乎永远不会发生).同时，您最好坚持使用版本 0 兼容的 cookie.

In order to support version 1 cookies for the worldwide audience, you'll really wait for Microsoft to fix the lack of MSIE support and that the browser with the fix has become mainstream. In other words, it'll take ages (update: as of now, 5+ years later, it doesn't seem to ever going to happen). In the meanwhile you'd best stick to version 0 compatible cookies.

这篇关于为什么带有空格的 cookie 值会带引号到达客户端?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！