"Manni Wood" <[EMAIL PROTECTED]> writes: [...]
> 1. I looked into the cookie RFC, which refers to the HTTP RFC on what > the definition of a quoted value is. Interestingly, a quoted value is > not allowed to contain quotes, not even escaped quotes. Can someone > correct me on my assumption if I am wrong? More interestingly, I see no > reason why an unquoted value cannot contain unescaped quotes --- it's > just not allowed to contain spaces. Good point. IMO RFC 2965 is vague on this point, but there is an errata process underway that will address this issue. If you/anyone is interested in participating, please email me directly. > 2. A valid cookie in the header does not need a value. Hence, you can > have, in the cookie header, a cookie name, followed by a semi-colon, > instead of the equal sign and value and *then* the semi-colon you would > expect. The specs do require an "=" sign, even if the VALUE is empty; although it's good practice for a server-side parser to tolerate its absence. > 3. A valid cookie header can separate its cookie/value pairs with commas > as well as semi-colons, and can have space before and after the > semi-colons or commas. > > 4. A valid cookie/value pair can have space before and after the equal > sign. These are also debatable. The 2965 errata will hopefully address these as well. > 5. My state machine, based on my extensive testing, gracefully handles > all the above assumptions, and also gracefully aborts searching > malformed cookie headers. The resulting state machine is not as simple > as I had hoped! Cool! You might also consider subscribing to the apreq-dev list, since we're doing the same sort of thing. Best wishes. -- Joe Schaefer
