可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试):

问题:

I know there are other questions but they seem to have answers which are assumptions rather than being definitive.

My limited understanding is that cookie values are:

semi-colons are already used to separate cookies attributes within a single cookie.
equals signs are used to separate cookie names and values
colons are used to separate multiple cookies within a header.

Are there any other "special" characters ?

Some other q/a suggest that one base64 encodes the value but this does of course may include equals signs which of course are not valid.

i have also seen some suggestions that values may be quoted this however leads to other questions.

do the special characters need to be quoted ?
do quoted values support the usual backslash escaping mechanisms.

RFC I read a few RFCs including some of the many cookie RFCS but i am still unsure as there is cross reference to another RFC etc with no definitive simple explaination or sample that "answers" my query.

Hopefully no one will say read the RFC because the question becomes which RFC...?

I think i have also read that different browsers have slightly different rules so hopefully please note this in your answers if this matters.

回答1:

The latest RFC is 6265, and it states that previous Cookie RFCs are obsoleted.

Here's what the syntax rules in the RFC say:

 cookie-pair       = cookie-name "=" cookie-value
 cookie-name       = token
 cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
 cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash

Thus:

The special characters are white-space characters, double quote, comma, semicolon and backslash. Equals is not a special character.
The special characters cannot be used at all, with the exception that double quotes may surround the value.
Special characters cannot be quoted.
Backslash does not act as an escape.

It follows that base-64 encoding can be used, because equals is not special.

Finally, from what I can tell, the RFC 6265 cookie values are defined so that they will work with any browser that implements any of the Cookie RFCs. However, if you tried to use cookie values that don't conform to RFC 6265 (but do arguably do conform to earlier RFCs), you may find that cookie behavior varies with different browsers.

In short, conform to the letter of RFC 6265 and you should be fine.

回答2:

There was the mention of base64, so here is a cooked cookie solution using that in cookies. The functions are about a modified version of base64, they only use [0-9a-zA-Z_-]

You can use it for both the name and value part of cookies, is binary safe, as they say.

The gzdeflate/gzinflate takes back 30% or so space created by base64, could not resist using it. Note that php gzdeflate/gzinflate is only available in most hosting companies, not all.

//write
setcookie
         (
         'mycookie'
         ,code_base64_FROM_bytes_cookiesafe(gzdeflate($mystring))
         ,time()+365*24*3600
         );
//read
$mystring=gzinflate(code_bytes_FROM_base64_cookiesafe($_COOKIE['mycookie']));


function code_base64_FROM_bytes_cookiesafe($bytes)
    {
    //safe for name and value part [0-9a-zA-Z_-]
    return strtr(base64_encode($bytes),Array
            (
            '/'=>'_',
            '+'=>'-',
            '='=>'',
            ' '=>'',
            "\n"=>'',
            "\r"=>'',
            ));
    }


function code_bytes_FROM_base64_cookiesafe($enc)
    {
    $enc=str_pad($enc,strlen($enc)%4,'=',STR_PAD_RIGHT);//add back =
    $enc=chunk_split($enc);//inserts \r\n every 76 chars
    return base64_decode(strtr($enc,Array
            (
            '_'=>'/',
            '-'=>'+',
            )));
    }