Cookie content after equals sign discarded

[GoogleCodeExporter]

What steps reproduce the problem?
1. from the server, set a cookie named "foo" with value "a=1&b=2"
2. do $cookies.get("foo")

What is the expected result of the above steps?  What do you see instead?

The expected result is "a=1&b=2"; actual result is "a".

What version of the following are you using?
  jQuery: 1.4.2
  cookies: 2.2.0

What browser/version are you using?
Firefox 3.6.6

What OS/version are you using?
Linux (Ubuntu 10.04)

Do you have any additional information to provide?

This is a bug in the parseCookies function, file line 104. The cookie pair is 
split on '='. The first part is treated as the name; the second part as the 
value. The rest is discarded. It should instead be preserved. Personally, I'd 
just look for the first '=' character and manually split into name and value.

Original issue reported on code.google.com by wpie...@gmail.com on 14 Jul 2010 at 10:07

[GoogleCodeExporter]

In issue #8 I pointed out that I can set a cookie such as the one you describe, 
and read it back without issue.  However, I am setting it from the client side 
through my own code where I know it is being encoded properly.  I believe this 
issue points to a lack of proper encoding of the cookie from your server.

That said, I do see how I can adapt to such a thing to be more flexible.

Original comment by auldrid...@gmail.com on 16 Jul 2010 at 1:49

• Changed state: Accepted

[GoogleCodeExporter]

Thnks for the speedy reply.

I looked at the RFCs on this, and I believe this is legitimate cookie content. 
I think the only rule with special characters (like equals) is that they must 
be quoted, not escaped. That's per RFC2965 sec 3.1 and RFC 2068 sec 2.2. I'd 
expect the browser to remove the quotes, so I don't think that's an issue for 
your code.

Original comment by wpie...@gmail.com on 16 Jul 2010 at 8:12

[GoogleCodeExporter]

Thanks for the good info.

My testing shows that sending with a double quote wrapped string results in the 
double quotes being included in the written cooke value and encoded.

So this line of code
{{{
setcookie( 'test1', '"test2=test3"');
}}}
results in this cookie in the document.cookie string:
test1=%22test2%3Dtest3%22

It seems to me like I should only allow for anything in the value to return IF 
I see that the value is wrapped in double quotes after decoding.  That said, 
I'm not being strict in following the RFC as it is, because I'm not enforcing 
that the name of the cookie be a token.  I will probably take your initial 
advice on how to fix this, but I want to think about the RFCs some more and 
decide whether I should get strict or not.

Original comment by auldrid...@gmail.com on 16 Jul 2010 at 8:31

[GoogleCodeExporter]

Issue 32 has been merged into this issue.

Original comment by auldrid...@gmail.com on 10 Nov 2010 at 1:52

[GoogleCodeExporter]

I just want to note that Facebook's authentication mechanism uses a cookie with 
name=value strings.  And I had to stop using this otherwise great jQuery plugin 
because of this issue with Facebook.  So this is not a little issue that only a 
few people will ever experience...

I recognize that Facebook may not be dealing with cookies properly, so maybe 
there should be a getRawCookie type of method?

Original comment by scott%gi...@gtempaccount.com on 10 Nov 2010 at 2:51

[GoogleCodeExporter]

Ok, so somehow there are big issues between what I am working with locally, and 
what comes from some servers.

I have commit a change in r75 which no longer assumes that split on = produces 
only two values.

Can anyone on this thread give it a test in areas where you once had problems? 
I have never been able to reproduce it, and all my test cases have always 
passed (and still do after this change).

Thanks,
Jim

Original comment by auldrid...@gmail.com on 10 Nov 2010 at 10:59

• Added labels: Priority-High
• Removed labels: Priority-Medium

[GoogleCodeExporter]

Original comment by auldrid...@gmail.com on 10 Nov 2010 at 11:38

[GoogleCodeExporter]

bump... please read and respond to comment 6...

Original comment by auldrid...@gmail.com on 27 Jan 2011 at 4:34

[GoogleCodeExporter]

considering fixed in r75 unless comments I requested in comment 8 say otherwise

Original comment by auldrid...@gmail.com on 27 Jan 2011 at 5:16

• Changed state: Fixed

[GoogleCodeExporter]

Hi! This was for a prototype, and I archived all of that code long ago. But the 
way I would test this:

From the server, send a cookie of the form 
cookiename=key1=val1&key2=val2&key3=val3

On the client, get the cookie value and make sure it contains the whole string 
rather than just "key1", which is what it was returning before.

Like Scott, my issue was with Facebook, so if you're looking for a real-world 
example, I'd try that.

Original comment by wpie...@gmail.com on 27 Jan 2011 at 6:25

[GoogleCodeExporter]

Ok, I used your example as I don't see anything in my own FB cookies which 
looks like that. It now works as you were originally expecting, so I consider 
this fixed.

Thanks!
Jim

Original comment by auldrid...@gmail.com on 27 Jan 2011 at 7:28

[GoogleCodeExporter]

Original comment by auldrid...@gmail.com on 27 Jan 2011 at 7:28

• Changed state: Verified

[GoogleCodeExporter]

Great! My hazy recollection is that it happened to me during the process of 
authenticating a Facebook app.

If you just need more real-world examples, though, you can do something like 

cut -f 7 FIREFOX_PROFILE_DIRECTORY/cookies.txt | grep =

I get more than a hundred matches.

Original comment by wpie...@gmail.com on 27 Jan 2011 at 9:09