Cookie中允许的字符

本文翻译自：Allowed characters in cookies

this one's a quickie: 这是一个快捷方式：

What are the allowed characters in both cookie name and value? Cookie名称和值中允许使用哪些字符？ Are they same as URL or some common subset? 它们是否与URL或某些公共子集相同？

Reason I'm asking is that I've recently hit some strange behavior with cookies that have - in their name and I'm just wondering if it's something browser specific or if my code is faulty. 原因我问的是，我已经创出近期与曲奇饼有一些奇怪的行为-他们的名字，我只是想知道，如果它是一些具体的事情浏览器，或者如果我的代码是错误的。

#1楼

参考：https://stackoom.com/question/8ghO/Cookie中允许的字符

#2楼

you can not put ";" 您不能输入“;” in the value field of a cookie, the name that will be set is the string until the ";" 在Cookie的value字段中，要设置的名称是字符串，直到“;”为止 in most browsers... 在大多数浏览器中...

#3楼

I think it's generally browser specific. 我认为这通常是特定于浏览器的。 To be on the safe side, base64 encode a JSON object, and store everything in that. 为了安全起见，base64对JSON对象进行编码，然后将所有内容存储在其中。 That way you just have to decode it and parse the JSON. 这样，您只需要解码并解析JSON。 All the characters used in base64 should play fine with most, if not all browsers. 如果不是所有浏览器，base64中使用的所有字符都应该可以正常运行。

#4楼

There are 2 versions of cookies specifications Cookie规范有2个版本
1. Version 0 cookies aka Netscape cookies, 1.版本0 Cookie或Netscape Cookie，
2. Version 1 aka RFC 2965 cookies 2.版本1 aka RFC 2965 cookie
In version 0 The name and value part of cookies are sequences of characters, excluding the semicolon, comma, equals sign, and whitespace, if not used with double quotes 在版本0中，cookie的名称和值部分是字符序列，如果不使用双引号，则不包括分号，逗号，等号和空格
version 1 is a lot more complicated you can check it here 版本1复杂得多，您可以在此处进行检查
In this version specs for name value part is almost same except name can not start with $ sign 在此版本中，名称值部分的规格几乎相同，只是名称不能以$符号开头

#5楼

this one's a quickie: 这是一个快捷方式：

You might think it should be, but really it's not at all! 您可能会认为应该这样做，但实际上根本不行！

What are the allowed characters in both cookie name and value? Cookie名称和值中允许使用哪些字符？

According to the ancient Netscape cookie_spec the entire NAME=VALUE string is: 根据古老的Netscape cookie_spec ，整个NAME=VALUE字符串为：

a sequence of characters excluding semi-colon, comma and white space. 一系列字符，不包括分号，逗号和空格。

So - should work, and it does seem to be OK in browsers I've got here; 所以-应该可以工作，而且在我来到这里的浏览器中似乎还可以； where are you having trouble with it? 您在哪里遇到麻烦？

By implication of the above: 通过以上暗示：

• = is legal to include, but potentially ambiguous. =是合法的包括，但可能具有不同含义。 Browsers always split the name and value on the first = symbol in the string, so in practice you can put an = symbol in the VALUE but not the NAME. 浏览器始终在字符串的第一个=符号上拆分名称和值，因此在实践中，您可以在VALUE中放置=符号，但不能在NAME中放置=符号。

What isn't mentioned, because Netscape were terrible at writing specs, but seems to be consistently supported by browsers: 没有提到什么，因为Netscape在编写规范时很糟糕，但是似乎始终受到浏览器的支持：

• either the NAME or the VALUE may be empty strings NAME或VALUE可能为空字符串

• if there is no = symbol in the string at all, browsers treat it as the cookie with the empty-string name, ie Set-Cookie: foo is the same as Set-Cookie: =foo . 如果字符串中根本没有=符号，浏览器会将其视为具有空字符串名称的cookie，即Set-Cookie: foo与Set-Cookie: =foo 。

• when browsers output a cookie with an empty name, they omit the equals sign. 当浏览器输出名称为空的cookie时，它们会省略等号。 So Set-Cookie: =bar begets Cookie: bar . 所以Set-Cookie: =bar Cookie: bar 。

• commas and spaces in names and values do actually seem to work, though spaces around the equals sign are trimmed 名称和值中的逗号和空格似乎确实有效，尽管等号周围的空格已修剪

• control characters ( \\x00 to \\x1F plus \\x7F ) aren't allowed 不允许使用控制字符（ \\x00至\\x1F加上\\x7F ）

What isn't mentioned and browsers are totally inconsistent about, is non-ASCII (Unicode) characters: 未提及且浏览器完全不一致的是非ASCII（Unicode）字符：

• in Opera and Google Chrome, they are encoded to Cookie headers with UTF-8; 在Opera和Google Chrome中，它们使用UTF-8编码为Cookie标头；
• in IE, the machine's default code page is used (locale-specific and never UTF-8); 在IE中，使用计算机的默认代码页（特定于语言环境，从不使用UTF-8）；
• Firefox (and other Mozilla-based browsers) use the low byte of each UTF-16 code point on its own (so ISO-8859-1 is OK but anything else is mangled); Firefox（和其他基于Mozilla的浏览器）自行使用每个UTF-16代码点的低字节（因此，ISO-8859-1可以，但其他任何东西都被破坏了）；
• Safari simply refuses to send any cookie containing non-ASCII characters. Safari只是拒绝发送任何包含非ASCII字符的cookie。

so in practice you cannot use non-ASCII characters in cookies at all. 因此实际上，您根本不能在Cookie中使用非ASCII字符。 If you want to use Unicode, control codes or other arbitrary byte sequences, the cookie_spec demands you use an ad-hoc encoding scheme of your own choosing and suggest URL-encoding (as produced by JavaScript's encodeURIComponent ) as a reasonable choice. 如果要使用Unicode，控制代码或其他任意字节序列，则cookie_spec要求您使用自己选择的即席编码方案，并建议将URL编码（由JavaScript的encodeURIComponent产生）作为合理选择。

In terms of actual standards, there have been a few attempts to codify cookie behaviour but none thus far actually reflect the real world. 在实际标准方面，已经进行了一些尝试来整理Cookie行为，但是到目前为止，还没有任何方法能够真正反映出真实世界。

• RFC 2109 was an attempt to codify and fix the original Netscape cookie_spec. RFC 2109试图对原始Netscape cookie_spec进行编码和修复。 In this standard many more special characters are disallowed, as it uses RFC 2616 tokens (a - is still allowed there), and only the value may be specified in a quoted-string with other characters. 在该标准中，不允许使用更多特殊字符，因为它使用RFC 2616令牌（此处仍然允许使用- ），并且只能在带引号的字符串中指定该值以及其他字符。 No browser ever implemented the limitations, the special handling of quoted strings and escaping, or the new features in this spec. 没有浏览器实现限制，对引号引起的字符串的特殊处理和转义，或者此规范中的新功能。

• RFC 2965 was another go at it, tidying up 2109 and adding more features under a 'version 2 cookies' scheme. RFC 2965是另一种解决方法，它整理了2109，并在“版本2 Cookie”方案下添加了更多功能。 Nobody ever implemented any of that either. 也没有人实施过任何一个。 This spec has the same token-and-quoted-string limitations as the earlier version and it's just as much a load of nonsense. 该规范与早期版本具有相同的标记和引号字符串限制，并且是一堆废话。

• RFC 6265 is an HTML5-era attempt to clear up the historical mess. RFC 6265是HTML5时代试图清除历史混乱的尝试。 It still doesn't match reality exactly but it's much better then the earlier attempts—it is at least a proper subset of what browsers support, not introducing any syntax that is supposed to work but doesn't (like the previous quoted-string). 它仍然不完全符合现实，但是比早期的尝试要好得多-它至少是浏览器支持的一个适当子集，没有引入任何应该起作用但不起作用的语法（例如之前的带引号的字符串） 。

In 6265 the cookie name is still specified as an RFC 2616 token , which means you can pick from the alphanums plus: 在6265中，cookie名称仍然指定为RFC 2616 token ，这意味着您可以从字母数字加：

!#$%&'*+-.^_`|~

In the cookie value it formally bans the (filtered by browsers) control characters and (inconsistently-implemented) non-ASCII characters. 在cookie值中，它正式禁止（由浏览器过滤）控制字符和（不一致执行的）非ASCII字符。 It retains cookie_spec's prohibition on space, comma and semicolon, plus for compatibility with any poor idiots who actually implemented the earlier RFCs it also banned backslash and quotes, other than quotes wrapping the whole value (but in that case the quotes are still considered part of the value, not an encoding scheme). 它保留了cookie_spec对空格，逗号和分号的禁止，并且为了与实际上实施较早RFC的任何可怜的白痴兼容，它还禁止反斜杠和引号，但引号包装了整个值（但在这种情况下，引号仍被认为是值，而不是编码方案）。 So that leaves you with the alphanums plus: 这样就剩下字母数字加号了：

!#$%&'()*+-./:<=>?@[]^_`{|}~

In the real world we are still using the original-and-worst Netscape cookie_spec, so code that consumes cookies should be prepared to encounter pretty much anything, but for code that produces cookies it is advisable to stick with the subset in RFC 6265. 在现实世界中，我们仍在使用原始和最差的Netscape cookie_spec，因此应该准备使用cookie的代码来处理几乎所有内容，但是对于生成cookie的代码，建议坚持使用RFC 6265中的子集。

#6楼

Newer rfc6265 published in April 2011: 2011年4月发布的较新的rfc6265 ：

cookie-header = "Cookie:" OWS cookie-string OWS
cookie-string = cookie-pair *( ";" SP cookie-pair )
cookie-pair  = cookie-name "=" cookie-value
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )

cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                   ; US-ASCII characters excluding CTLs,
                   ; whitespace DQUOTE, comma, semicolon,
                   ; and backslash

If you look to @bobince answer you see that newer restriction more strict. 如果您使用@bobince答案，则会看到更新的限制更加严格。