Monday, February 14, 2011

How the hell did that value come in the cookie ??? I swear I never set it !!!!

Cookies have two version i.e Version 0 and Version 1. Version 0 adheres to the original Netscape spec while Version 1 adheres to RFC 2109.According to specs, in Version 0, cookie values "SHOULD NOT" contain white space, brackets, parentheses, equals signs, commas, double quotes, slashes, question marks, at signs, colons, and semicolons. Version 1 cookies on the other hand allow such values but the entire value will be quoted. Eg: "testing:value".

Version 1 cookies are not fully supported by all user agents. By default (if not explicitly specified)cookies are created using Version 0 to ensure the best interoperability. One can explicitly set the version of the cookie by specifying Version="0/1"

I carried out some tests using IE 8, Firefox 3.6, Chrome 9 and JMeter as user-agents and Tomcat 6.0.32 as the application server. The test simply created a cookie storing a url as a value i.e URL= Tomcat docs mention that if a value contains illegal characters it would set the version of the cookie to 1 and quote the value. Using fiddler to check the raw request /responses, I confirmed it did just that. When the first request goes out ,it went without a cookie and when the response came back it returned with the cookie set with version 1 (the value was quoted). Now the user-agents especially JMeter and on occasions the browsers mentioned above ,when sending the next request ,it sent the cookie but with a version set to 0.Tomcat on receiving the request ,then treated the version of cookie as 0 and truncated everything after : (colon). Hence when the value of the cookie was read it gave just http instead of

Next time you are using cookies keep these points in mind or you might just go crazy thinking "How the hell did that value come in the cookie ???". Or a better option would be to URL or Base 64 encode/decode values in cases where the value contains special characters.

Till next time ...


  1. Nice post. Screen shots/ bullets next time to enhance the readability even more?

  2. Wrote the article in a jiffy so didn't have time beautifying it....Thanks for the feedback though :)