Feature #1840

non-ascii cookie value get Bad request response

Added by moo over 11 years ago. Updated about 4 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


i'm not sure if it's validate in RFC, but it seems legal and easy to do setcookie (setrawcookie?) in php or document.cookie = .. in javascript without escaping/urlencoding the name/value pair. i did it by "mistake" and never had a chance to fix it from server side

well yes i can remove spcified cookie in firefox for specified site or clear all cookie in IE, but this is not a way for end users

chance that your server or pages may have set such header:
1. software (that generate web pages) that didn't aware of this problem and you studdently lost all users once you have non-ascii cookie sent
2. same as above but 3rd party plugins for your software
3. cookie and session fixation that's not fixed


Updated by gstrauss about 4 years ago

  • Tracker changed from Bug to Feature

lighttpd does not currently perform strict validation on the headers returned by CGI, FastCGI, SCGI. Also, for that matter, lighttpd does not strictly validate the contents of headers set by modules.

Changing ticket to feature request. Personally, I do not think that this should be done in lighttpd, as it belongs in developer testing tools or in an IDS or application-level firewall.


Updated by gstrauss about 4 years ago

  • Status changed from New to Invalid

If I understand correctly what is being requested, I don't think that this belongs in the core.

If implemented as an optional module, I can see how this might be useful to those who want to scrub incoming request headers or outgoing response headers.

Also available in: Atom