This week, we've started getting error logs from users of the Samsung Browser on tablets and smartphones, where occasionally commas will be used to separate two cookies in the Cookie HTTP header sent to our server instead of the standard semi-colon. The current RFC defining cookies and HTTP state management at large, RFC 6265, indicates that only the semi-colon is accepted as a separator, but the two RFCs preceding it (2965 and 2109) specify that "a server should also accept comma (,) as the separator between cookie-values for future compatibility."
This has two consequences on our end:
- The problematic cookie is assumed to contain a Base64-encoded object. Because the comma isn't interpreted as a separator, the next cookie in the header is tacked onto the end of the Base64 value we are trying to convert, and the conversion crashes.
- The cookie following the comma separator is "lost" as far as ASP.NET's own cookie processing is concerned.
It would be pretty easy to hack something together on our end to fix the crashing conversion. I could look for a comma, and ignore it and everything following it if it was present, and the conversion would succeed. But then I'd have to manually handle recovering the "lost" cookies, and really, I'd like to avoid these kinds of hacks if possible. Given the state of OS updates on Android phones, I'm pretty hopeless that a fix for this will ever go out. But since older RFCs suggested supporting commas as separators on the server side, I'm hoping there something configurable somewhere I can enable to get this behavior for free, without resorting to inelegant hacks in our application code.
So really, what I'm asking is:
- Has ASP.NET MVC ever supported commas as separators in the Cookie HTTP header?
- If so, is there any way to enable that legacy behavior on MVC 5/Framework 4.5.2?