URL Decoding causes problems with cookies

[bdr99]

I ran into this problem when I was writing a macro that authenticates to a web service which requires a session cookie. The session cookie is a string of characters which sometimes includes a plus sign. These plus signs are getting changed to spaces when the cookie is saved to the response's Cookies Dictionary. I worked around it by using something like sessionCookie = replace(sessionCookie, " ", "+"), but it is not an ideal solution.

Looking at the code, it appears that this is because of the call to WebHelpers.UrlDecode here in the WebResponse class. Why do cookies need to be UrlDecoded? Is it necessary?

Here is some example code which replicates the problem:

Dim client As New WebClient, request As New WebRequest, response As WebResponse
client.BaseUrl = "http://httpbin.org/"
request.Resource = "cookies/set?cookie=abc%2Bdef"  ' %2B = "+"
Set response = client.Execute(request)
MsgBox response.Cookies(1)("Value")

The response header that comes from httpbin.org is as follows:

HTTP/1.1 302 FOUND
Server: nginx
Date: Mon, 10 Aug 2015 02:58:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 223
Connection: keep-alive
Location: /cookies
Set-Cookie: cookie=abc+def; Path=/
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

The Set-Cookie header says cookie=abc+def, so I would expect response.Cookies(1)("Value") to be abc+def, but the MsgBox instead displays abc def.

[timhall]

Hi @bdr99 I have been reading more about cookie encoding, http://tools.ietf.org/html/rfc6265#section-4.1.1, and it looks like the existing url decoding for cookies in VBA-Web goes a little too far (leading to issues like "+" being decoded incorrectly in your case). I'll update the library with more cookie-specific encoding/decoding shortly, thanks for raising this issue.

[timhall]

(Also, thanks for the detailed issue, including a test case!)

[bdr99]

You're welcome, glad I could help!