Cookie中允许使用哪些字符? [英] What are allowed characters in cookies?
问题描述
cookie名称和值中允许使用哪些字符?它们与URL或某些常见子集相同吗?
What are the allowed characters in both cookie name and value? Are they same as URL or some common subset?
原因我想问的是,我最近用的Cookie遇到了一些奇怪的行为-的名字,我只是想知道这是特定于浏览器还是我的代码有问题。
Reason I'm asking is that I've recently hit some strange behavior with cookies that have - in their name and I'm just wondering if it's something browser specific or if my code is faulty.
推荐答案
这是一个快捷方式:
this one's a quickie:
您可能会认为应该这样做,但实际上并非如此
You might think it should be, but really it's not at all!
cookie名称和值中允许使用什么字符?
What are the allowed characters in both cookie name and value?
根据古老的Netscape cookie_spec 整个 NAME = VALUE 字符串为:
According to the ancient Netscape cookie_spec the entire NAME=VALUE string is:
不包括分号,逗号的一系列字符和空白。
a sequence of characters excluding semi-colon, comma and white space.
因此-应该可以工作,而且确实可以在我到这里的浏览器中没问题;您在哪里遇到麻烦?
So - should work, and it does seem to be OK in browsers I've got here; where are you having trouble with it?
通过上述暗示:
-
=包含在内是合法的,但可能含糊不清。浏览器始终在字符串的第一个=符号上拆分名称和值,因此在实践中,您可以将=
=is legal to include, but potentially ambiguous. Browsers always split the name and value on the first=symbol in the string, so in practice you can put an=symbol in the VALUE but not the NAME.
没有提到,因为Netscape在编写规范时很糟糕,但似乎始终受浏览器支持:
What isn't mentioned, because Netscape were terrible at writing specs, but seems to be consistently supported by browsers:
-
名称或值可能是空字符串
either the NAME or the VALUE may be empty strings
如果字符串中根本没有 = 符号,浏览器会将其视为具有空字符串名称的cookie,即 Set-Cookie:foo 与 Set-Cookie:= foo 相同。
if there is no = symbol in the string at all, browsers treat it as the cookie with the empty-string name, ie Set-Cookie: foo is the same as Set-Cookie: =foo.
当浏览器输出名称为空的cookie时,它们会省略等号。所以 Set-Cookie:= bar 会得到 Cookie:bar 。
when browsers output a cookie with an empty name, they omit the equals sign. So Set-Cookie: =bar begets Cookie: bar.
逗号和名称和值中的空格似乎确实起作用,尽管等号周围的空格已剪裁
commas and spaces in names and values do actually seem to work, though spaces around the equals sign are trimmed
控制字符( \x00 到 \x1F 加上 \x7F ) '不允许
control characters (\x00 to \x1F plus \x7F) aren't allowed
未提及且浏览器完全不一致的是非ASCII(Unicode)字符:
What isn't mentioned and browsers are totally inconsistent about, is non-ASCII (Unicode) characters:
- 在Opera和Google Chrome中,它们使用UTF-8编码为Cookie标头;
- 在IE中,使用了计算机的默认代码页(特定于语言环境且从不使用UTF-8);
- Firefox(和其他基于Mozilla的浏览器)使用每个UTF-本身就有16个代码点(因此ISO-8859-1可以,但是其他任何东西都被破坏了);
- Safari只是拒绝发送任何包含非ASCII字符的cookie。
- in Opera and Google Chrome, they are encoded to Cookie headers with UTF-8;
- in IE, the machine's default code page is used (locale-specific and never UTF-8);
- Firefox (and other Mozilla-based browsers) use the low byte of each UTF-16 code point on its own (so ISO-8859-1 is OK but anything else is mangled);
- Safari simply refuses to send any cookie containing non-ASCII characters.
因此实际上您不能在Cookie中使用非ASCII字符完全没有如果要使用Unicode,控制代码或其他任意字节序列,则cookie_spec要求您使用自己选择的即席编码方案,并建议URL编码(由JavaScript的 encodeURIComponent )作为合理的选择。
so in practice you cannot use non-ASCII characters in cookies at all. If you want to use Unicode, control codes or other arbitrary byte sequences, the cookie_spec demands you use an ad-hoc encoding scheme of your own choosing and suggest URL-encoding (as produced by JavaScript's encodeURIComponent) as a reasonable choice.
就实际标准而言,已经进行了一些尝试来整理Cookie行为,但都没有到目前为止,实际上反映了现实世界。
In terms of actual standards, there have been a few attempts to codify cookie behaviour but none thus far actually reflect the real world.
-
RFC 2109 是试图对原始Netscape cookie_spec进行编码和修复。在此标准中,不允许使用更多特殊字符,因为它使用 RFC 2616 标记( code>-仍然允许在此处使用),并且只能在带引号的字符串中指定该值以及其他字符。没有浏览器实现限制,对引号引起的字符串的特殊处理和转义,或者此规范中的新功能。
RFC 2109 was an attempt to codify and fix the original Netscape cookie_spec. In this standard many more special characters are disallowed, as it uses RFC 2616 tokens (a
-is still allowed there), and only the value may be specified in a quoted-string with other characters. No browser ever implemented the limitations, the special handling of quoted strings and escaping, or the new features in this spec.
RFC 2965 是另一种解决方法,它整理了2109并在版本2 cookie方案下添加了更多功能。也没有人实施过任何一个。该规范与早期版本具有相同的标记和引号字符串限制,并且无意义。
RFC 2965 was another go at it, tidying up 2109 and adding more features under a ‘version 2 cookies’ scheme. Nobody ever implemented any of that either. This spec has the same token-and-quoted-string limitations as the earlier version and it's just as much a load of nonsense.
RFC 6265 是HTML5时代试图清除历史混乱的尝试。它仍然不完全符合现实,但是比早期的尝试要好得多-它至少是浏览器支持的一个适当子集,没有引入任何应该起作用但不起作用的语法(例如之前的带引号的字符串) 。
RFC 6265 is an HTML5-era attempt to clear up the historical mess. It still doesn't match reality exactly but it's much better then the earlier attempts—it is at least a proper subset of what browsers support, not introducing any syntax that is supposed to work but doesn't (like the previous quoted-string).
在6265中,cookie名称仍指定为RFC 2616 令牌,这意味着您可以从字母数字加:
In 6265 the cookie name is still specified as an RFC 2616 token, which means you can pick from the alphanums plus:
!#$%&'*+-.^_`|~
在Cookie值中,它正式禁止(由浏览器过滤)控制字符和(不一致的实现)非ASCII字符。它保留了cookie_spec对空格,逗号和分号的禁止,并与实际上实施较早RFC的任何可怜的白痴兼容,并且它还禁止反斜杠和引号,但引号包装了整个值(但在这种情况下,引号仍被认为是值,而不是编码方案)。这样就剩下字母数字了:
In the cookie value it formally bans the (filtered by browsers) control characters and (inconsistently-implemented) non-ASCII characters. It retains cookie_spec's prohibition on space, comma and semicolon, plus for compatibility with any poor idiots who actually implemented the earlier RFCs it also banned backslash and quotes, other than quotes wrapping the whole value (but in that case the quotes are still considered part of the value, not an encoding scheme). So that leaves you with the alphanums plus:
!#$%&'()*+-./:<=>?@[]^_`{|}~
在现实世界中,我们仍然使用原始和最糟糕的Netscape cookie_spec,因此应该准备使用cookie的代码来处理几乎所有内容,但是对于生成cookie的代码,建议坚持使用RFC 6265中的子集。
In the real world we are still using the original-and-worst Netscape cookie_spec, so code that consumes cookies should be prepared to encounter pretty much anything, but for code that produces cookies it is advisable to stick with the subset in RFC 6265.
这篇关于Cookie中允许使用哪些字符?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
