PHP cookie special chars

Question

I'm storing multiple information in cookies in javascript. The information pieces are separated by a "+" sign, like document.cookie ='cookie1'+'='+inf1+'+'+inf2 .

But when I'm echoing out these cookies from PHP, the separating "+" sign is replaced with a space.

I've tried to echo with addslashes, didn't work. When I'm alerting the the cookie from JS it's alright, it shows the separating "+" sign.

Anyone out there knows a solution for this?

Answer 1

I know it's not new issue, but for those, who also runs to this problem, here's my solution:

To solve this error use escaped characters instead !

At http://www.w3schools.com/jsref/jsref_escape.asp it says:

This function encodes special characters, with the exception of: * @ - _ + . /

So it means you can insert these characters to the cookie, but won't be able to retrieve through PHP. PHP just and only accepts escaped ASCII chars like '%2B' for '+' '%2A' for '*' etc. Check the Hx column here: http://www.asciitable.com/

So how i solved it (quick and dirty) is that i tried to insert escaped data to the cookie:

function setCookie(c_name,value,exdays){
      var exdate=new Date();
      var n_value = escape(value).replace(/[+]/g,"%2B").replace(/[*]/g,"%2A").replace(/[@]/g,"%40").replace(/[-]/g,"%2D").replace(/[_]/g,"%5F").replace(/[.]/g,"%2E").replace(/[/]/g,"%2F");
      exdate.setDate(exdate.getDate() + exdays);
      var c_value = n_value + ((exdays==null) ? "" : "; expires="+exdate.toUTCString());
      document.cookie=c_name + "=" + c_value;
    }

this escapes the rest of the characters, then replace the exceptions ( +-_@*./ ). It's dirty and I'm pretty sure it can be done someway else, like regexp...etc, but it works for now.

Try it, you'll be satisfied with it!

Answer 2

That's weird — there is no specification that states a cookie should be treated as application/x-www-form-urlencoded :

• Netscape's original draft stated:

   NAME=VALUE 

  This string is a sequence of characters excluding semi-colon, comma and white space. If there is a need to place such data in the name or value, some encoding method such as URL style %XX encoding is recommended, though no encoding is defined or required.

  So this is the plain percent-encoding .

• RFC 2109 states:

   cookie = NAME "=" VALUE *(";" cookie-av) NAME = attr VALUE = value 

  Where attr and value are specified as:

   attr = token value = word word = token | quoted-string 

  And token and quoted-string are specified in HTTP/1.1 and can be represented by these regular expressions respectively:

   [!#$%&'*+\\-.0-9A-Za-z^_`|~]+ "([ \\x21\\x23-\\x7E\\x80-\\xFF]|(\\r\\n)?[ \\t]+|\\\\[\\x00-\\x7F])*" 

  So this isn't application/x-www-form-urlencoded either but a different format preferred by HTTP-based extensions.

• RFC 2965 doesn't specify anything different than RFC 2109 regarding the cookie syntax:

   cookie = NAME "=" VALUE *(";" set-cookie-av) NAME = attr VALUE = value 

Thus the + , that is only is replaced in application/x-www-form-urlencoded , should not be replaced by a space in cookies. So this is a wrong behavior by PHP.

Answer 3

You could replace + with it's url code %2B .

document.cookie = 'cookie1' + '=' + inf1 + '%2B' + inf2;

You should also encode inf1 and inf2 if they might contain unencoded strings (if they're numbers, it's fine). Just search google for "JavaScript urlencode"