Some cookies are really bad for your health and you have to be careful when you cook them. A very simple cookie looks like that when the server sends it to the client:
Set-Cookie: cookieName=cookieValue
but more often it will looks like this
Set-Cookie: cookieName=cookieValue; Path=/; Domain=example.org
Sometimes they will contain an Expire date.
Set-Cookie: cookieName=cookieValue; Expires=Wed, 09 Jun 2021 10:18:14 GMT
Cookies are defined in the specification 2695 and now in the specification HTTP State Management Mechanism currently written by Adam Barth. The production rules for the servers are strict and defined in the section 4.1. Set-Cookie.
These are a set of rules you have to check when you are coding either javascript or your Web framework to produce cookies.
- Set-Cookie:SP The space is important. US-ASCII SP (octet 32)
- cookieName any US-ASCII characters except control characters (octets 0-31) and DEL (octet 127) and, the following characters “(“, “)”, “\<”, “>”, “@”, “,”, “;”, “:”, “", “/”, “[“, “]”, “?”, “=”, “{“, “}”, the double quote character itself, US-ASCII SP (octet 32) or the tabulation (octet 9)
- = no space before and after.
- cookieValue same than cookieName
Then optionally you can add
- ;SP The space is important
Just a little reminder because this morning I stumbled across a cookie which was badly defined on a Website:
Set-Cookie: {$aaa|xxx:"zzz"}=foo
the characters {, }, " and : are forbidden here.