53

A HTTP Cookie consists of a name-value pair and can be set by the server using this response:

HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: name=value
Set-Cookie: name2=value2; Expires=Wed, 09 Jun 2021 10:18:14 GMT

Future requests from the client will then look like this:

GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: name=value; name2=value2

Is the name of the cookie case sensitive?

For example, if my server sends a response as such:

HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: Aaaa=Bbbb
Set-Cookie: aAaa=bBbb
Set-Cookie: aaAa=bbBb
Set-Cookie: aaaA=bbbB

Is it reasonable to expect a client (Chrome, FireFox, Safari, IExplorer, Opera, etc) to send future requests with the header Cookie: Aaaa=Bbbb; aAaa=bBbb; aaAa=bbBb; aaaA=bbbB;?

Note: Question is neither JSP-specific, PHP-specific, nor ASP-specific.

Improve this question
2
  • 3
    @lanzz, RFCs are not always that clear... so asking the question to confirm one way or the other is a good idea. Not only that, we can see below that there is an answer referencing MSDN with a sentence stating that cookie names are case insensitive! Commented Jan 3, 2013 at 8:26
  • 2
    @AlexisWilke I agree that RFCs are sometimes vague, but most times they are quite readable and concise. OP does not present evidence of having read the RFC at all, much less of being confused by it. MSDN is not an authoritative source on HTTP cookies. Commented Jan 3, 2013 at 10:57

6 Answers 6

Reset to default
54

Cookie names are case-sensitive. The RFC does not state that explicitly, but each case-insensitive comparison is stated so explicitly, and there is no such explicit statement regarding the name of the cookie. Chrome and Firefox both treat cookies as case-sensitive and preserve all case variants as distinct cookies.

Test case (PHP):

print_r($_COOKIE);

setcookie('foo', '123');
setcookie('Foo', '456');

Load script twice, observe $_COOKIE dump on second run.

Improve this answer
Sign up to request clarification or add additional context in comments.

Image
@PeerStritzinger Either I cannot understand your comment, or you haven't actually read my answer. I could not find an explicit statement to that effect in the RFC, but my interpretation of it is exactly the same as what you're saying: cookie names are case-sensitive. If you did find a definitive statement about this in the RFC you're welcome to share your findings, but I find it offensive that you downvoted my answer claiming that it is wrong, and then you actually agreed with it.
Image
@Pacerier Peer quotes an obsolete RFC. RFC 2109 has been obsoleted by RFC 2965, which in turn has been obsoleted by RFC 6265.
Image
@Pacerier No, I'm saying they're no longer case-insensitive. The old RFC describes them using the same rules as attribute names, which are case-insensitive; the current RFC does not define them in the same way, and does not describe the cookie name as explicitly case-insensitive. Case-sensitivity is trivially demonstrable in Chrome and Firefox using my example PHP code; since two major browsers treat them as case-sensitive, you don't have much choice but to make sure you treat them as case-sensitive too, or you break compatibility with FF and Chrome.
Image
It is COMPLETELY irrelevant what the RFC says! We write code to run on the browsers that are in use today: IE, Firefox, Chrome. As our code must work we must only care how the browsers are implemented. And I can tell that at least Internet Explorer is case-sensitive, so we should treat cookies as case sensitive to avoid problems!
Image
Have you read my answer? All major browsers handle cookie names in a case-sensitive manner, because that's what's prescribed in the RFC. Are you telling me that the RFC is irrelevant, because you've found that at least Internet Explorer actually follows it? Not to mention the fact that if your code handles cookies in a case-sensitive manner, it wouldn't matter if browsers do too; that's not true if you handle them as case-insensitive but browsers are case-sensitive.
7

At the bottom is a script that demonstrates Cookie case sensitivity on browsers and .Net framework. Every time it is run, it will insert a cookie named xxxxxxxxxx, with random upper/lower cases. Press F5 to refresh a few times to insert a few cookies.

I have teste it on Chrome and Firefox, and both demonstrate similar behavior, something like below:

Request.Cookies["xxxxxxxxxx"].Name returns: xxxxXxXXXX
All XXXXXXXXXX Cookies:

    xxxxXxXXXX
    xXxxXxXXXx
    XxxxxXxXXx
    XXXxXxXXxX

It shows:

  • Cookies are case sensitive on Chrome and Firefox
  • .Net Framework can handle case sensitive cookies (that's why it could loop through all those cookies)
  • Request.Cookies["xxxxxxxxxx"] is case insensitive (that's why it returns the first cookie that case-insensitively matches the name)

As mentioned in other answers, the new RFC indicates that cookies are case sensitive, and both Chrome and Firefox seem to handle it that way. .Net Framework can handle case-sensitive cookies, but it really wants to treat cookies case-insensitively, and many of its functions do treat cookies that way (Cookies[], Cookies.Set() etc.). This inconsistency can cause many hard to track bugs.

TestCookie.aspx:

<%@ Page language="c#" AutoEventWireup="false" validateRequest=false %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
    <title id="title">Test Cookie Sensitivity</title>
</head>
<body>
<p>Request.Cookies["xxxxxxxxxx"].Name returns:
<%
    HttpCookie cookie2 = Request.Cookies["xxxxxxxxxx"];
    if (cookie2 == null) Response.Write("No cookie found");
    else Response.Write(cookie2.Name);
%>
</p>
<h3>All XXXXXXXXXX Cookies:</h3>
<ul>
<%
    foreach (string key in Request.Cookies.Keys)
        if (key.ToLower() == "xxxxxxxxxx") Response.Write("<li>" + key + "</li>");
    Random rand = new Random();
    StringBuilder name = new StringBuilder();
    for (int i = 0; i < 10; i++) {
        if (rand.Next(2) == 0) name.Append('x');
        else name.Append('X');
    }
    HttpCookie cookie = new HttpCookie(name.ToString());
    cookie.HttpOnly = true;
    cookie.Expires = DateTime.Now.AddMonths(1);
    Response.Cookies.Add(cookie);
%>
</ul>
</body>
</html>
Improve this answer

Image
This may simply be an issue with the .NET api and nothing to do with HTTP standards...
Image
Certainly. On top of the RFC discussions in the other answers, I just want to provide some confirmed results so we know how the browsers behave, and how the weird behavior of .NET has screwed me over (and can potentially screw others).
3

It seems cookies are actually case sensitive. Theres some confusion with this. It is interesting that the MSDN says otherwise:

Cookie names are NOT case-sensitive

Source: http://msdn.microsoft.com/en-us/library/ms970178.aspx the bottom of the article says it's ©2002 so it might be outdated.

Also, the question has been asked in the asp.net forums, too: http://forums.asp.net/t/1170326.aspx?Are+cookie+names+case+sensitive+ and it seems the answer is case-sensitive.

What's going on? MSDN says no, other technologies say yes. To be sure, I tested this using ASP classic.

Code

hashUCASE = Request.Cookies("data")("Hash")
hashLCASE = Request.Cookies("data")("hash")

Response.Write "<p> hashUCASE = " & hashUCASE
Response.Write "<br> hashLCASE = " & hashLCASE


cookieNameUCASE = Request.Cookies("Data")
cookieNameLCASE = Request.Cookies("data")

Response.Write "<p> cookieNameUCASE = " & cookieNameUCASE
Response.Write "<br> cookieNameLCASE = " & cookieNameLCASE

Response.End

Results

hashUCASE: EE3305C0DAADAAAA221BD5ACF6996AAA
hashLCASE: EE3305C0DAADAAAA221BD5ACF6996AAA

cookieNameUCASE: name=1&Hash=EE3305C0DAADAAAA221BD5ACF6996AAA
cookieNameLCASE: name=1&Hash=EE3305C0DAADAAAA221BD5ACF6996AAA

As you can see in the results, the value "Hash" was created with uppercase and even when you make the request with lower case, it returns the same value, which makes it not case-sensitive. Under this MS technology, it is not.

Conclusion

So, using Request.Cookies() in ASP classic, it's not case-sensitive, like Microsoft says. But wait, isn't it case sensitive again? This may mean that whether sensitive or not depends on the server side technology that makes the request to the browser, which could be normalizing the cookie name to make the requests and thus making it not case sensitive. But that's something else we'll have to test to verify.

My advice is to make tests with whatever technology you are using and establish a standard in your code base, make an agreement with your team. i.e. if you're going to use a cookie, decide if it will always be written in lowercase or uppercase anytime you are going to use it in your code. That way there won't be any case sensitivity problems because in your code it will be always declared with the same case.

tl;dr

As long as you keep a convention with the cookie names you won't have problems with case sensitivity.

Improve this answer

Image
This is not an ASP question... Since we apparently can't decide which browsers users will use, we can't just dictate cookies to be case-sensitive if they are not (or vice-versa).
Image
@Pacerier Exactly, that's the point I made in my last paragraph. Make a convention to always use lower case is an example and always test your stuff.
2

According to RFC 2109 - HTTP State Management Mechanism cookie names aka attribute names are case insensitive:

4.1 Syntax: General

The two state management headers, Set-Cookie and Cookie, have common syntactic properties involving attribute-value pairs. The following grammar uses the notation, and tokens DIGIT (decimal digits) and token (informally, a sequence of non-special, non-white space characters) from the HTTP/1.1 specification [RFC 2068] to describe their syntax.

av-pairs        =       av-pair *(";" av-pair)
av-pair         =       attr ["=" value]        ; optional value
attr            =       token
value           =       word
word            =       token | quoted-string

Attributes (names) (attr) are case-insensitive. White space is permitted between tokens. Note that while the above syntax description shows value as optional, most attrs require them.

Improve this answer

Image
How does this match up with Ianzz's answer?
Image
RFC 2109 is obsoleted by RFC 6265 via RFC 2965; RFC 6265 does not include the definitions you have quoted.
Image
I would speculate that the conflation of cookie names with attribute names has been intentionally removed in the later RFCs exactly for reason of case-sensitivity.
Image
According to MSDN, .net still follows RFC 2109 - The following cookie formats are supported during parsing of the HTTP response headers: the original Netscape specification, RFC 2109, and RFC 2965 And this also can be seen in .net sources
1

According to MSDN, cookies name are NOT case sensitive. However, I'm not sure if that's just ASPX/IIS specific implementation. I believe it depends on the web server and the language as well.

If you send a cookie named "UserID", the browser will make sure they send it back as "UserID", not "userid".

Improve this answer

Image
Yea I was wondering if it's just an ASPX implementation too: forums.asp.net/t/1170326.aspx/1
0

Web proxy softwares may convert the case of the cookie name.

Its behavior is permitted at least in the older RFCs.

Then many web libraries/frameworks handle cookie names as case-insensitive.

We should do the same, unless you expect all requests are encrypted and proxies can't modify it.

Improve this answer

Comments

Your Answer

Draft saved
Draft discarded

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.