Rails 2.0 changed cookie parsing

Bitsweat, in his Ruby 1.9 compat frenzy (awesome work, BTW), made this change to CGI::cookie: http://dev.rubyonrails.org/changeset/8405

A comma has been added to raw_cookie.split delimiter. Why? Cookies not set from Rails with values like “foo,bar” won’t work anymore, only “foo” will be preserved. Are we supposed to encode the comma in cookies when saving them in JavaScript from now on?

In other words (in JavaScript):

document.cookie = “expanded_rows=3,5,7; path=/admin”;

this cookie won’t get properly parsed server-side (only “3” will be preserved). Now we have to:

document.cookie = “expanded_rows=” + encodeURIComponent(“3,5,7”) + “; path=/admin”;

I noticed this broke in Radiant (and took an hour to track down), so I wondered why is this Ruby 1.9 compat. Thanks

  • Mislav

It isn't for compatibility: we forked Ruby's cookie parsing years ago and I imported the intervening changes.

According to RFC 2109, commas aren't allowed in the cookie value and should be encoded. Nor may they contain ()<>@;:\"/?={} or space or tab.

However, splitting on comma is just a 'should' so I'll revert.

Best, jeremy

Thanks for the explanation. We’re updating Radiant CMS to Rails 2.0 and, because the framework is already frozen in the project, I have simply updated its javascript to do encoding of values.

Still, maybe the revert should be backported to stable. I can’t estimate how many people out there are writing comma-delimited values via javascripts, but whoever did it’s broken if they update to Rails 2.0.2.