Now, when I make this request in my browser (Chrome, in this case), the Cookie header looks something like:
Cookie: abc=123; def=456; ghi="789"
Yet, the WebClient is instead sending something like:
Cookie: abc=123; def=456; ghi=789
This may seem insignificant. However, this particular web-server (and I've found this in more then one scenario) relies on the quotes remaining in place. With them stripped, I'm getting a response that my browser isn't supported (because they don't understand the cookie being sent). If I add the quotes to every cookie, then they give me an internal service error.
In the past, I've simply hard-coded special cases into my code to handle these particular cookies. However, I'm trying to generalize things now and really need a way to keep the cookies in their original form.
I would just parse the Set-cookie header, yet since it gets a simple "join(,)" used to generate it, it mucks up my split results because there are other commas in the Set-cookie string.
There's tons of ways to fix this in the source code, yet I really don't see why quotes need to be removed in the first place. This has been like this for a while though so changing that particular piece could potentially be a breaking change.
SlimerDudeWed 29 Jul 2015
As mentioned in the RFC 6265 section 4.1.1, Cookie values may optionally be surrounded in Double Quotes. So lines 40 and 41 simply remove them should they exist.
This, very old, stackoverflow question sheds some light on why double quoting is optional. (Essentially, it's evolving standards.)
(So arguably Cookie.make() should be more strict on this.) Percent encoding of cookie values seems to be the way forward.
Back to your problem, I'm a bit confused as to who is setting cookie values with quotes. Is it the (Fantom?) server or the browser?
brianWed 29 Jul 2015
So just to be clear, we are talking about WebClient sending cookies to the server correct?
What server is not properly handling them?
The existing cookie code is pretty well field testing, so I'd hate to change the behavior - especially since I'm pretty sure we are adhering to the spec, and it sounds like your server is not.
Jeremy CriquetWed 29 Jul 2015
It's a utility meter website which I have no control over. Yes, I'm talking about WebClient. The external server sets the cookie with a response header Set-cookie and subsequent requests that I make need to send that cookie in a Cookie header. Hopefully this clears any confusion?
I see that the point is to fit the spec, however we are not behaving as modern browsers are. My example shows that what the server sends me is being modified and not sent back as intended. Even if it fits the spec, Chrome and Firefox both do not modify the cookies like so (they send the quotes if they were supplied the quotes). I'm not saying we need to change the cookies, per-say. But it would at least be good to know if the server sent me a Set-cookie header with quotes in it or not.
Maybe if the cookie removes the quotes, a boolean can be set?
SlimerDudeWed 29 Jul 2015
As a workaround, could you not manipulate the request / response headers yourself? Using reqHeaders and resHeaders?
Jeremy CriquetWed 29 Jul 2015
Like I said, since they are concatenated together with comma's, I have no way of telling if a comma separates a cookie or was in the original Set-cookie header.
Another thing I noticed (this is something I can work around but still want to mention) is that Fantom is sending a cookie header like so:
Cookie: abc=123,def=456,ghi=789
When it should be (if we want to mimic modern browsers):
Cookie: abc=123; def=456; ghi=789
Sites like http://myhttp.info/ show a set of cookies all as 1 cookie with a bunch of commas in it.
I think the internet convention is to fit was modern browsers want, even if the standards define something else. For this reason, I think it important that we follow the trend or our WebClient will often not be able to work with certain sites.
matthewMon 3 Aug 2015
Ticket promoted to #2438 and assigned to matthew
Opening a ticket for this. The planned resolution is to adhere more closely to RFC6265
Change WebClient to encode "Cookie" request header with cookies separated by semicolon (;) instead of comma (,)
Change Cookie.fromStr to not strip double-quotes (") from cookie value. Implement the suggested algorithm from section 5.2 of the RFC for parsing the cookie-name-value pair.
Jeremy CriquetMon 3 Aug 2015
Thanks so much. As far as I can tell, this should make Cookies function much closer to an actual modern web browser.
matthewMon 3 Aug 2015
Ticket resolved in 1.0.68
Resolved per steps outlined in earlier comment, with this additional change:
Cookie.toStr no longer uses WebUtil.toQuotedStr to encode the value. The value is written "as-is".
Jeremy Criquet Tue 28 Jul 2015
I'm curious why these lines are in Cookie.fan: (lines 40 and 41)
I made a
WebClientthat (after sending a request) receives a response that looks something like:Now, when I make this request in my browser (Chrome, in this case), the Cookie header looks something like:
Yet, the
WebClientis instead sending something like:This may seem insignificant. However, this particular web-server (and I've found this in more then one scenario) relies on the quotes remaining in place. With them stripped, I'm getting a response that my browser isn't supported (because they don't understand the cookie being sent). If I add the quotes to every cookie, then they give me an internal service error.
In the past, I've simply hard-coded special cases into my code to handle these particular cookies. However, I'm trying to generalize things now and really need a way to keep the cookies in their original form.
I would just parse the
Set-cookieheader, yet since it gets a simple "join(,)" used to generate it, it mucks up mysplitresults because there are other commas in the Set-cookie string.There's tons of ways to fix this in the source code, yet I really don't see why quotes need to be removed in the first place. This has been like this for a while though so changing that particular piece could potentially be a breaking change.
SlimerDude Wed 29 Jul 2015
As mentioned in the RFC 6265 section 4.1.1, Cookie values may optionally be surrounded in Double Quotes. So lines 40 and 41 simply remove them should they exist.
This, very old, stackoverflow question sheds some light on why double quoting is optional. (Essentially, it's evolving standards.)
Why do cookie values with whitespace arrive at the client side with quotes?
Further more, the above RFC link stipulates that double quote characters are not allowed as cookie value octets (characters):
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ; US-ASCII characters excluding CTLs, ; whitespace DQUOTE, comma, semicolon, ; and backslash(So arguably Cookie.make() should be more strict on this.) Percent encoding of cookie values seems to be the way forward.
Back to your problem, I'm a bit confused as to who is setting cookie values with quotes. Is it the (Fantom?) server or the browser?
brian Wed 29 Jul 2015
So just to be clear, we are talking about WebClient sending cookies to the server correct?
What server is not properly handling them?
The existing cookie code is pretty well field testing, so I'd hate to change the behavior - especially since I'm pretty sure we are adhering to the spec, and it sounds like your server is not.
Jeremy Criquet Wed 29 Jul 2015
It's a utility meter website which I have no control over. Yes, I'm talking about
WebClient. The external server sets the cookie with a response headerSet-cookieand subsequent requests that I make need to send that cookie in aCookieheader. Hopefully this clears any confusion?I see that the point is to fit the spec, however we are not behaving as modern browsers are. My example shows that what the server sends me is being modified and not sent back as intended. Even if it fits the spec, Chrome and Firefox both do not modify the cookies like so (they send the quotes if they were supplied the quotes). I'm not saying we need to change the cookies, per-say. But it would at least be good to know if the server sent me a
Set-cookieheader with quotes in it or not.Maybe if the cookie removes the quotes, a boolean can be set?
SlimerDude Wed 29 Jul 2015
As a workaround, could you not manipulate the request / response headers yourself? Using
reqHeadersandresHeaders?Jeremy Criquet Wed 29 Jul 2015
Like I said, since they are concatenated together with comma's, I have no way of telling if a comma separates a cookie or was in the original Set-cookie header.
Another thing I noticed (this is something I can work around but still want to mention) is that Fantom is sending a cookie header like so:
When it should be (if we want to mimic modern browsers):
Sites like http://myhttp.info/ show a set of cookies all as 1 cookie with a bunch of commas in it.
I think the internet convention is to fit was modern browsers want, even if the standards define something else. For this reason, I think it important that we follow the trend or our
WebClientwill often not be able to work with certain sites.matthew Mon 3 Aug 2015
Ticket promoted to #2438 and assigned to matthew
Opening a ticket for this. The planned resolution is to adhere more closely to RFC6265
;) instead of comma (,)Cookie.fromStrto not strip double-quotes (") from cookie value. Implement the suggested algorithm from section 5.2 of the RFC for parsing the cookie-name-value pair.Jeremy Criquet Mon 3 Aug 2015
Thanks so much. As far as I can tell, this should make Cookies function much closer to an actual modern web browser.
matthew Mon 3 Aug 2015
Ticket resolved in 1.0.68
Resolved per steps outlined in earlier comment, with this additional change:
Cookie.toStrno longer usesWebUtil.toQuotedStrto encode the value. The value is written "as-is".