This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.
The active forums are here.
August 08, 2007 2:35pm
Subscribe [3]#1 / Aug 08, 2007 2:35pm
I’ve got an external vendor that uses double-quotes around their cookie names, which triggers Disallowed Key Characters in EE. What are the security risks involved in cookie names containing a ” character? It’s possible that I could make a page external to EE to host the service they provide, but it’d be nice if I could get EE to allow it even if it means modifying the core.input.php file.
#2 / Aug 09, 2007 11:37am
I’ve got an external vendor that uses double-quotes around their cookie names, which triggers Disallowed Key Characters in EE. What are the security risks involved in cookie names containing a “ character? It’s possible that I could make a page external to EE to host the service they provide, but it’d be nice if I could get EE to allow it even if it means modifying the core.input.php file.
#3 / Aug 09, 2007 3:46pm
Going by requirements of RFC 2109 for HTTP headers, RFC 2068 states the requirements of cookie names.
Many HTTP/1.1 header field values consist of words separated by LWS
or special characters. These special characters MUST be in a quoted
string to be used within a parameter value.
token = 1*<any CHAR except CTLs or tspecials>
tspecials = "(" | ")" | "<" | ">" | "@"
| "," | ";" | ":" | "\" | <">
| "/" | "[" | "]" | "?" | "="
| "{" | "}" | SP | HTThe <”> stands for a double quote and is therefore not an allowed cookie name character according to the RFC guidelines. Because browsers and other user agents would expect information to conform to guidelines, there is a potential that some browser or user agent would react poorly to a key that is out of spec, possibly even leading to a security issue.