{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 我欲成王,谁敢阻挡 的问题《Is comma a valid character in cookie-value》','https://www.manongdao.com/q-557351.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
In some web server, cookie with a comma in value will be split into two cookie (one with empty value). For example, "foo=bar,goo" will be treated just like "foo=bar;goo=". Is this right according to RFC?
I find this RFC document but don't know exactly what it means.
cookie-pair = cookie-name "=" cookie-value
cookie-name = token
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
; US-ASCII characters excluding CTLs,
; whitespace DQUOTE, comma, semicolon,
; and backslash
What are those keywords: cookie-pair, cookie-name, cookie-value, cookie-octet?
cookie-valueis the right-side part of=.cookie-octetis the real value, enclosed in double quotes or nothing. See:or
When you put in a
,(or;) see what happens:or
So, your assumption is not quite correct and you must not use comma or semicolon inside the value.
NO they are not allowed.
From the specs:
The same can be checked in RFC2965 and RFC2616
According to the document's part you quoted, commas are not allowed:
US-ASCII characters excluding CTLs, whitespace DQUOTE, comma, semicolon, and backslashHowever, I believe all modern browsers allow it anyway so use it at your risk. You can always use base64 or something similar depending on your goal if you need to encode special characters and stay compliant.