A HTTP Cookie consists of a name-value pair and can be set by the server using this response:
HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: name=value
Set-Cookie: name2=value2; Expires=Wed, 09 Jun 2021 10:18:14 GMT
Future requests from the client will then look like this:
GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: name=value; name2=value2
Is the name of the cookie case sensitive?
For example, if my server sends a response as such:
HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: Aaaa=Bbbb
Set-Cookie: aAaa=bBbb
Set-Cookie: aaAa=bbBb
Set-Cookie: aaaA=bbbB
Is it reasonable to expect a client (Chrome, FireFox, Safari, IExplorer, Opera, etc) to send future requests with the header Cookie: Aaaa=Bbbb; aAaa=bBbb; aaAa=bbBb; aaaA=bbbB;?
Note: Question is neither JSP-specific, PHP-specific, nor ASP-specific.
Cookie names are case-sensitive. The RFC does not state that explicitly, but each case-insensitive comparison is stated so explicitly, and there is no such explicit statement regarding the name of the cookie. Chrome and Firefox both treat cookies as case-sensitive and preserve all case variants as distinct cookies.
Test case (PHP):
print_r($_COOKIE);
setcookie('foo', '123');
setcookie('Foo', '456');
Load script twice, observe $_COOKIE dump on second run.
At the bottom is a script that demonstrates Cookie case sensitivity on browsers and .Net framework. Every time it is run, it will insert a cookie named xxxxxxxxxx, with random upper/lower cases. Press F5 to refresh a few times to insert a few cookies.
I have teste it on Chrome and Firefox, and both demonstrate similar behavior, something like below:
Request.Cookies["xxxxxxxxxx"].Name returns: xxxxXxXXXX
All XXXXXXXXXX Cookies:
xxxxXxXXXX
xXxxXxXXXx
XxxxxXxXXx
XXXxXxXXxX
It shows:
- Cookies are case sensitive on Chrome and Firefox
- .Net Framework can handle case sensitive cookies (that's why it could loop through all those cookies)
- Request.Cookies["xxxxxxxxxx"] is case insensitive (that's why it returns the first cookie that case-insensitively matches the name)
As mentioned in other answers, the new RFC indicates that cookies are case sensitive, and both Chrome and Firefox seem to handle it that way. .Net Framework can handle case-sensitive cookies, but it really wants to treat cookies case-insensitively, and many of its functions do treat cookies that way (Cookies[], Cookies.Set() etc.). This inconsistency can cause many hard to track bugs.
TestCookie.aspx:
<%@ Page language="c#" AutoEventWireup="false" validateRequest=false %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title id="title">Test Cookie Sensitivity</title>
</head>
<body>
<p>Request.Cookies["xxxxxxxxxx"].Name returns:
<%
HttpCookie cookie2 = Request.Cookies["xxxxxxxxxx"];
if (cookie2 == null) Response.Write("No cookie found");
else Response.Write(cookie2.Name);
%>
</p>
<h3>All XXXXXXXXXX Cookies:</h3>
<ul>
<%
foreach (string key in Request.Cookies.Keys)
if (key.ToLower() == "xxxxxxxxxx") Response.Write("<li>" + key + "</li>");
Random rand = new Random();
StringBuilder name = new StringBuilder();
for (int i = 0; i < 10; i++) {
if (rand.Next(2) == 0) name.Append('x');
else name.Append('X');
}
HttpCookie cookie = new HttpCookie(name.ToString());
cookie.HttpOnly = true;
cookie.Expires = DateTime.Now.AddMonths(1);
Response.Cookies.Add(cookie);
%>
</ul>
</body>
</html>
It seems cookies are actually case sensitive. Theres some confusion with this. It is interesting that the MSDN says otherwise:
Cookie names are NOT case-sensitive
Source: http://msdn.microsoft.com/en-us/library/ms970178.aspx the bottom of the article says it's ©2002 so it might be outdated.
Also, the question has been asked in the asp.net forums, too: http://forums.asp.net/t/1170326.aspx?Are+cookie+names+case+sensitive+ and it seems the answer is case-sensitive.
What's going on? MSDN says no, other technologies say yes. To be sure, I tested this using ASP classic.
Code
hashUCASE = Request.Cookies("data")("Hash")
hashLCASE = Request.Cookies("data")("hash")
Response.Write "<p> hashUCASE = " & hashUCASE
Response.Write "<br> hashLCASE = " & hashLCASE
cookieNameUCASE = Request.Cookies("Data")
cookieNameLCASE = Request.Cookies("data")
Response.Write "<p> cookieNameUCASE = " & cookieNameUCASE
Response.Write "<br> cookieNameLCASE = " & cookieNameLCASE
Response.End
Results
hashUCASE: EE3305C0DAADAAAA221BD5ACF6996AAA
hashLCASE: EE3305C0DAADAAAA221BD5ACF6996AAA
cookieNameUCASE: name=1&Hash=EE3305C0DAADAAAA221BD5ACF6996AAA
cookieNameLCASE: name=1&Hash=EE3305C0DAADAAAA221BD5ACF6996AAA
As you can see in the results, the value "Hash" was created with uppercase and even when you make the request with lower case, it returns the same value, which makes it not case-sensitive. Under this MS technology, it is not.
Conclusion
So, using Request.Cookies() in ASP classic, it's not case-sensitive, like Microsoft says. But wait, isn't it case sensitive again? This may mean that whether sensitive or not depends on the server side technology that makes the request to the browser, which could be normalizing the cookie name to make the requests and thus making it not case sensitive. But that's something else we'll have to test to verify.
My advice is to make tests with whatever technology you are using and establish a standard in your code base, make an agreement with your team. i.e. if you're going to use a cookie, decide if it will always be written in lowercase or uppercase anytime you are going to use it in your code. That way there won't be any case sensitivity problems because in your code it will be always declared with the same case.
tl;dr
As long as you keep a convention with the cookie names you won't have problems with case sensitivity.
According to RFC 2109 - HTTP State Management Mechanism cookie names aka attribute names are case insensitive:
4.1 Syntax: General
The two state management headers, Set-Cookie and Cookie, have common
syntactic properties involving attribute-value pairs. The following
grammar uses the notation, and tokens DIGIT (decimal digits) and
token (informally, a sequence of non-special, non-white space
characters) from the HTTP/1.1 specification [RFC 2068] to describe
their syntax.
av-pairs = av-pair *(";" av-pair)
av-pair = attr ["=" value] ; optional value
attr = token
value = word
word = token | quoted-string
Attributes (names) (attr) are case-insensitive. White space is
permitted between tokens. Note that while the above syntax
description shows value as optional, most attrs require them.
According to MSDN, cookies name are NOT case sensitive. However, I'm not sure if that's just ASPX/IIS specific implementation. I believe it depends on the web server and the language as well.
If you send a cookie named "UserID", the browser will make sure they send it back as "UserID", not "userid".
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 乱世女痞 的文章《Is the name of a cookie case sensitive?》','https://www.manongdao.com/article-237244.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}