search

withastro / astro

The web framework for content-driven websites. ⭐️ Star to support our work!
https://astro.build
Other
45.82k stars 2.41k forks source link

Cookie values getting URL encoded #10711

Closed lifeisfakenews closed 5 months ago

lifeisfakenews commented 5 months ago

Astro Info

Astro                    v4.5.15
Node                     v20.8.0
System                   Linux (x64)
Package Manager          npm
Output                   server
Adapter                  @astrojs/node
Integrations             none

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

When setting cookies with Astro.cookies.set in SSR, the value of the cookie is being URL encoded (in my case, ` ->%20`)

This doesn't happen when setting a cookie via document.cookie in client-side javascript, so i assume that isnt intended with this either

What's the expected result?

Setting a cookie with the value test value should then show the value test value in the browser's dev tools/cookie/storage debug area, instead of test%20value

Link to Minimal Reproducible Example

https://stackblitz.com/edit/github-apdxuw?file=src%2Fpages%2Findex.astro

Participation

rishi-raj-jain commented 5 months ago

I think it's expected to be, as it's going to be part of a set-cookie header which with best practices is safe to be encoded/decoded at the server.

You can obtain the right value by just using Astro.cookies.get("example") as in your reproduction to obtain the right decoded value.

On the client side, it becomes a better practice to decode value after splitting by ;.

https://stackoverflow.com/questions/572482/why-do-cookie-values-with-whitespace-arrive-at-the-client-side-with-quotes

Screenshot 2024-04-07 at 9 41 21 PM
lifeisfakenews commented 5 months ago

I could decode the cookies on the client side but that would require updates in many parts of my codebase, and this doesn't seem to be expected, it isn't documented anywhere and from my experience, only happens to my astro project.

If i set the set-cookie header myself, astro doesnt URL encode the values then, so why should it if i set it via Astro.cookies?

I might be wrong, there might be a different reason for this but based on what i know, it seems a strange thing to encode the set-cookie value - browsers and such can figure it out, marked by ; since document.cookie = "..." works

mingjunlu commented 5 months ago

According to RFC 6265, whitespaces are not allowed in cookie values. MDN also mentions that in Document: cookie property and Set-Cookie.

As to the reason why the value is URL-encoded, I found that when setting cookies, Astro uses the serialize method from cookie. Its default behavior is to use encodeURIComponent to encode the value.

If you need to keep the original text for some reason, you can pass your custom encode method like this:

Astro.cookies.set('example', 'test value', {
  encode(value) {
    return value;
  },
});
lifeisfakenews commented 5 months ago

browsers (at least Firefox and Chrome) aren't following the spec ig

thx for that, i will use a defined serialise method then

mingjunlu commented 5 months ago

Let's wait for Astro's maintainers to decide if it is an expected behavior or not. If it's considered a bug, I'm willing to create a PR 🙂

matthewp commented 5 months ago

Astro doesn't run in the browser and the browser doesn't interface with the Set-Cookie header. Given that this is just the default behavior of the battle-tested cookie library I think we'll close. Thanks for the great explanation @mingjunlu