48

A HTTP Cookie consists of a name-value pair and can be set by the server using this response:

HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: name=value
Set-Cookie: name2=value2; Expires=Wed, 09 Jun 2021 10:18:14 GMT

Future requests from the client will then look like this:

GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: name=value; name2=value2

Is the name of the cookie case sensitive?

For example, if my server sends a response as such:

HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: Aaaa=Bbbb
Set-Cookie: aAaa=bBbb
Set-Cookie: aaAa=bbBb
Set-Cookie: aaaA=bbbB

Is it reasonable to expect a client (Chrome, FireFox, Safari, IExplorer, Opera, etc) to send future requests with the header Cookie: Aaaa=Bbbb; aAaa=bBbb; aaAa=bbBb; aaaA=bbbB;?

Note: Question is neither JSP-specific, PHP-specific, nor ASP-specific.

Pacerier
  • 86,231
  • 106
  • 366
  • 634
  • 3
    @lanzz, RFCs are not always that clear... so asking the question to confirm one way or the other is a good idea. Not only that, we can see below that there is an answer referencing MSDN with a sentence stating that cookie names are case insensitive! – Alexis Wilke Jan 03 '13 at 08:26
  • 2
    @AlexisWilke I agree that RFCs are sometimes vague, but most times they are quite readable and concise. OP does not present evidence of having read the RFC _at all_, much less of being confused by it. MSDN is _not_ an authoritative source on HTTP cookies. – lanzz Jan 03 '13 at 10:57

5 Answers5

47

Cookie names are case-sensitive. The RFC does not state that explicitly, but each case-insensitive comparison is stated so explicitly, and there is no such explicit statement regarding the name of the cookie. Chrome and Firefox both treat cookies as case-sensitive and preserve all case variants as distinct cookies.

Test case (PHP):

print_r($_COOKIE);

setcookie('foo', '123');
setcookie('Foo', '456');

Load script twice, observe $_COOKIE dump on second run.

lanzz
  • 42,060
  • 10
  • 89
  • 98
  • 1
    @PeerStritzinger Either I cannot understand your comment, or you haven't actually read my answer. I could not find an _explicit_ statement to that effect in the RFC, but my interpretation of it is exactly the same as what you're saying: _cookie names are case-sensitive_. If you _did_ find a definitive statement about this in the RFC you're welcome to share your findings, but I find it offensive that you downvoted my answer claiming that it is wrong, and then you actually agreed with it. – lanzz Mar 04 '13 at 19:54
  • 6
    @Pacerier Peer quotes an obsolete RFC. [RFC 2109](http://www.ietf.org/rfc/rfc2109.txt) has been obsoleted by [RFC 2965](http://tools.ietf.org/html/rfc2965), which in turn has been obsoleted by [RFC 6265](http://tools.ietf.org/html/rfc6265). – lanzz Mar 05 '13 at 07:45
  • 1
    @Pacerier No, I'm saying they're no longer _case-insensitive_. The old RFC describes them using the same rules as attribute names, which are case-insensitive; the current RFC does not define them in the same way, and does not describe the cookie name as explicitly case-insensitive. Case-sensitivity is trivially demonstrable in Chrome and Firefox using my example PHP code; since two major browsers treat them as case-sensitive, you don't have much choice but to make sure you treat them as case-sensitive too, or you break compatibility with FF and Chrome. – lanzz Mar 05 '13 at 10:47
  • @Ianzz, yes pardon my typo. I meant "are you saying now it's no longer case-insensitive". I'm interested in the RFC standard regardless of browser behavior.. so basically RFC says it's now case-sensitive right? – Pacerier Mar 05 '13 at 12:32
  • My original answer still stands: the RFC does _not_ state explicitly that the cookie names are case-sensitive or case-insensitive. From the overall wording of the document I make the subjective inferrence, that _if_ the RFC meant the cookie names to be case-insensitive, it _would_ have been explicitly stated. Since it is not stated one way or the other, the overall language of RFC would imply case-sensitive behavior as the default. – lanzz Mar 05 '13 at 12:45
  • 2
    It is COMPLETELY irrelevant what the RFC says! We write code to run on the browsers that are in use today: IE, Firefox, Chrome. As our code must work we must only care how the browsers are implemented. And I can tell that at least Internet Explorer is case-sensitive, so we should treat cookies as case sensitive to avoid problems! – Elmue Feb 27 '14 at 02:51
  • 6
    Have you _read_ my answer? __All__ major browsers handle cookie names in a ___case-sensitive___ manner, because _that's what's prescribed in the RFC_. Are you telling me that the RFC is irrelevant, because you've found that _at least Internet Explorer actually follows it_? Not to mention the fact that if _your code_ handles cookies in a case-sensitive manner, it _wouldn't matter_ if browsers do too; that's not true if you handle them as case-insensitive but browsers are case-sensitive. – lanzz Feb 27 '14 at 06:20
  • It would be nice to have a link to the RFC that's being considered in the answer – YakovL Apr 26 '18 at 12:43
7

At the bottom is a script that demonstrates Cookie case sensitivity on browsers and .Net framework. Every time it is run, it will insert a cookie named xxxxxxxxxx, with random upper/lower cases. Press F5 to refresh a few times to insert a few cookies.

I have teste it on Chrome and Firefox, and both demonstrate similar behavior, something like below:

Request.Cookies["xxxxxxxxxx"].Name returns: xxxxXxXXXX
All XXXXXXXXXX Cookies:

    xxxxXxXXXX
    xXxxXxXXXx
    XxxxxXxXXx
    XXXxXxXXxX

It shows:

  • Cookies are case sensitive on Chrome and Firefox
  • .Net Framework can handle case sensitive cookies (that's why it could loop through all those cookies)
  • Request.Cookies["xxxxxxxxxx"] is case insensitive (that's why it returns the first cookie that case-insensitively matches the name)

As mentioned in other answers, the new RFC indicates that cookies are case sensitive, and both Chrome and Firefox seem to handle it that way. .Net Framework can handle case-sensitive cookies, but it really wants to treat cookies case-insensitively, and many of its functions do treat cookies that way (Cookies[], Cookies.Set() etc.). This inconsistency can cause many hard to track bugs.

TestCookie.aspx:

<%@ Page language="c#" AutoEventWireup="false" validateRequest=false %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
    <title id="title">Test Cookie Sensitivity</title>
</head>
<body>
<p>Request.Cookies["xxxxxxxxxx"].Name returns:
<%
    HttpCookie cookie2 = Request.Cookies["xxxxxxxxxx"];
    if (cookie2 == null) Response.Write("No cookie found");
    else Response.Write(cookie2.Name);
%>
</p>
<h3>All XXXXXXXXXX Cookies:</h3>
<ul>
<%
    foreach (string key in Request.Cookies.Keys)
        if (key.ToLower() == "xxxxxxxxxx") Response.Write("<li>" + key + "</li>");
    Random rand = new Random();
    StringBuilder name = new StringBuilder();
    for (int i = 0; i < 10; i++) {
        if (rand.Next(2) == 0) name.Append('x');
        else name.Append('X');
    }
    HttpCookie cookie = new HttpCookie(name.ToString());
    cookie.HttpOnly = true;
    cookie.Expires = DateTime.Now.AddMonths(1);
    Response.Cookies.Add(cookie);
%>
</ul>
</body>
</html>
jackbean818
  • 304
  • 3
  • 7
  • 2
    This may simply be an issue with the .NET api and nothing to do with HTTP standards... – Pacerier Jun 25 '14 at 15:24
  • 1
    Certainly. On top of the RFC discussions in the other answers, I just want to provide some confirmed results so we know how the browsers behave, and how the weird behavior of .NET has screwed me over (and can potentially screw others). – jackbean818 Jun 25 '14 at 16:21
3

It seems cookies are actually case sensitive. Theres some confusion with this. It is interesting that the MSDN says otherwise:

Cookie names are NOT case-sensitive

Source: http://msdn.microsoft.com/en-us/library/ms970178.aspx the bottom of the article says it's ©2002 so it might be outdated.

Also, the question has been asked in the asp.net forums, too: http://forums.asp.net/t/1170326.aspx?Are+cookie+names+case+sensitive+ and it seems the answer is case-sensitive.

What's going on? MSDN says no, other technologies say yes. To be sure, I tested this using ASP classic.

Code

hashUCASE = Request.Cookies("data")("Hash")
hashLCASE = Request.Cookies("data")("hash")

Response.Write "<p> hashUCASE = " & hashUCASE
Response.Write "<br> hashLCASE = " & hashLCASE


cookieNameUCASE = Request.Cookies("Data")
cookieNameLCASE = Request.Cookies("data")

Response.Write "<p> cookieNameUCASE = " & cookieNameUCASE
Response.Write "<br> cookieNameLCASE = " & cookieNameLCASE

Response.End

Results

hashUCASE: EE3305C0DAADAAAA221BD5ACF6996AAA
hashLCASE: EE3305C0DAADAAAA221BD5ACF6996AAA

cookieNameUCASE: name=1&Hash=EE3305C0DAADAAAA221BD5ACF6996AAA
cookieNameLCASE: name=1&Hash=EE3305C0DAADAAAA221BD5ACF6996AAA

As you can see in the results, the value "Hash" was created with uppercase and even when you make the request with lower case, it returns the same value, which makes it not case-sensitive. Under this MS technology, it is not.

Conclusion

So, using Request.Cookies() in ASP classic, it's not case-sensitive, like Microsoft says. But wait, isn't it case sensitive again? This may mean that whether sensitive or not depends on the server side technology that makes the request to the browser, which could be normalizing the cookie name to make the requests and thus making it not case sensitive. But that's something else we'll have to test to verify.

My advice is to make tests with whatever technology you are using and establish a standard in your code base, make an agreement with your team. i.e. if you're going to use a cookie, decide if it will always be written in lowercase or uppercase anytime you are going to use it in your code. That way there won't be any case sensitivity problems because in your code it will be always declared with the same case.

tl;dr

As long as you keep a convention with the cookie names you won't have problems with case sensitivity.

delroh
  • 1,100
  • 12
  • 10
  • This is not an ASP question... Since we apparently can't decide which browsers users will use, we can't just dictate cookies to be case-sensitive if they are not (or vice-versa). – Pacerier Apr 12 '14 at 11:05
  • @Pacerier Exactly, that's the point I made in my last paragraph. Make a convention to always use lower case is an example and always test your stuff. – delroh Apr 14 '14 at 13:58
2

According to RFC 2109 - HTTP State Management Mechanism cookie names aka attribute names are case insensitive:

4.1 Syntax: General

The two state management headers, Set-Cookie and Cookie, have common syntactic properties involving attribute-value pairs. The following grammar uses the notation, and tokens DIGIT (decimal digits) and token (informally, a sequence of non-special, non-white space characters) from the HTTP/1.1 specification [RFC 2068] to describe their syntax.

av-pairs        =       av-pair *(";" av-pair)
av-pair         =       attr ["=" value]        ; optional value
attr            =       token
value           =       word
word            =       token | quoted-string

Attributes (names) (attr) are case-insensitive. White space is permitted between tokens. Note that while the above syntax description shows value as optional, most attrs require them.

Peer Stritzinger
  • 8,232
  • 2
  • 30
  • 43
  • How does this match up with Ianzz's answer? – Pacerier Mar 05 '13 at 04:00
  • 8
    RFC 2109 is obsoleted by [RFC 6265](http://tools.ietf.org/html/rfc6265) via [RFC 2965](http://tools.ietf.org/html/rfc2965); RFC 6265 does not include the definitions you have quoted. – lanzz Mar 05 '13 at 07:44
  • I would speculate that the conflation of cookie names with attribute names has been intentionally removed in the later RFCs exactly for reason of case-sensitivity. – lanzz Mar 05 '13 at 07:51
  • According to [MSDN](https://msdn.microsoft.com/en-us/library/system.net.cookie(v=vs.100).aspx#Anchor_5), .net still follows RFC 2109 - _The following cookie formats are supported during parsing of the HTTP response headers: the original Netscape specification, RFC 2109, and RFC 2965_ And this also can be seen in [.net sources](http://referencesource.microsoft.com/#System/net/System/Net/cookie.cs) – Woodman Jun 01 '16 at 13:25
1

According to MSDN, cookies name are NOT case sensitive. However, I'm not sure if that's just ASPX/IIS specific implementation. I believe it depends on the web server and the language as well.

If you send a cookie named "UserID", the browser will make sure they send it back as "UserID", not "userid".

Steven Luu
  • 1,047
  • 1
  • 7
  • 13
  • Yea I was wondering if it's just an ASPX implementation too: http://forums.asp.net/t/1170326.aspx/1 – Pacerier Jul 03 '12 at 13:29