search

ring-clojure / ring

Clojure HTTP server abstraction
MIT License
3.76k stars 520 forks source link

Attributes in the `Set-Cookie` header are formatted incorrectly #486

Closed kamituel closed 1 year ago

kamituel commented 1 year ago

The problem

As per RFC 6265, specifically section 4.1.1, attributes in the Set-Cookie header should be separated by ; - a semicolon followed by a space:

set-cookie-string = cookie-pair *( ";" SP cookie-av )

However, the ring.middleware.cookies doesn't add any spaces:

((wrap-cookies
  (fn [_] {:cookies {"a" {:value     "b"
                          :http-only true
                          :same-site :none
                          :secure    true
                          :max-age   500}}}))
 {})
=> {:headers {"Set-Cookie" ("a=b;HttpOnly;SameSite=None;Secure;Max-Age=500")}}

Expected behaviour

Each attribute (or the attribute-value pair) is preceeded by a space. For example:

{:headers {"Set-Cookie" ("a=b; HttpOnly; SameSite=None; Secure; Max-Age=500")}}
weavejester commented 1 year ago

Nice catch. Looks like this was changed from the previous RFC, and Ring wasn't updated accordingly.