Zope cookies unconditionally quoted

Its a little unclear why this is a bug, so I'll expound upon it some.

The quotes are added in the _cookie_list() function from
ZPublisher/HTTPResponse.py. The quotes themselves aren't a bug,
quoted strings are allowed if we are to believe RFC 2965 or 2109
(although not all bother to do so), nor do they interfere with the
infamously half-assed Nestcape Cookie specification. The problem is
that adding quotes without doing any further encoding on the cookie
value is a worthless gesture, and no further encoding is done, values
are passed completely raw.

Passing everything raw, leaving the setCookie methods a somewhat thin
conceptual wrapper around setHeader, means that author must do their
own encoding and decoding to ensure semicolons (and other special
characters) in the cookie value are properly translated. Adding
quotes the way ZPublisher does also means the author be must aware of
this and be sure to include quotes in list of 'special characters'
that require encoding, otherwise the regex in HTTPRequest.py is sure
to mangle that cookie if the browser doesn't. That the API
documentation doesn't mention any of this is rather suboptimal if
authors are expected to write robust code.

It could be said that if the author must already do all this work
preparing their data for transport, then there really isn't much merit
in giving them the quotes for "free." Alternatively setCookie could
generate a just header thats valid automatically without the author
having to do the hard part. Figuring out what 'valid' is these days,
given the rather sizable gap between the published standards and
current practices, should be entertaining.

Suffice it to say the cookie hooks and the documentation need work.

As the original poster, let me clarify why this is a problem. It has nothing to do with specs or free quoting. The problem is cookies are used across technologies: My Zope set cookies will be read by javascript and/or apache servers and god-knows-what else. Ramming quotes around them (indeed, any magic wrapping) makes zope cookies incompatible with 3rd party technologies. Zope might like to pretend it lives in a vacuum but my cookies certainly don't.

There is a work around at least. It is also too late to fix this as it would break existing cookies. I feel the existing behavior probably should remain but it needs to be documented and the setHeader workaround should be mentioned in the same place.

I don't see why it makes them incompatible with 3-party technologies. It means you have to strip the quotes in Javascript, for example, but that should work, right?

The incompatibility arises in two ways:

a. Zope can't set a cookie for consumption by another application that doesn't expect the quotes. Yes, you could change the other application to deal with the quotes -- why should you have to?

b. If another application sets unquoted cookies, it can break Zope's parsing. This has happened to me, and it was very mysterious and unpleasant.

I've just been bitten by this: Apache 2.2 supports load balancing with "sticky sessions", ie., depending on a session cookie a request gets proxied to a specific backend.

Except that doesn't work with Zope because Zope insists on wrapping my cookies in quotes.

I dont see what that wrapping is good for in the first place? Apache and as far as I can see also IIS and Javascript expect cookie vals to be bare, which also seems in the spirit of RFC2109 IMHO

We've just been bitten by this whilst integrating a php bulletin board with zope.

I wanted to use the same session id across zope and php, in order that they can pull the required data from the database. Both apps are happy with the session id generated by the other and stored in a cookie. However, zope magically quotes the session id if it generates it, and I then have to customise the php app to remove the quotes.

Would an acceptable solution be a zope.conf directive that controls cookie quoting (default quoting on)? I'll happily provide a patch if so. Unless you are doing integration of this sort, the default behaviour is fine.

How about adding an option to the setCookie() method that controls the quoting? I am not sure if were a really interested in a global configuration option.

Hi, continues even with the problems in the newer versions?

Same thing with us while trying to integrate Zope with the phpCAS SSO system and using cookies to transport SSO tickets.

When Zope authenticates users, it sets an SSO ticket inside a cookie, so that other systems may know the user is authenticated.

Problem: Zope (2.9) magically adds the infamous quotes, while the phpCAS library does something like $value ~ /^ST-/ (value starts with the ST- string). No room for an opening quote, which makes the systems not interoperable.

By the way, I support Andreas Jung suggestion to add an option to setCookie.

This is still the case in current Zope trunk.

I have gone for the simplest solution suggested by Andreas, a new keyword argument for the setCookie method.

Checked in on the 2.12 branch: http://svn.zope.org/?rev=112512&view=rev

Checked in on the trunk: http://svn.zope.org/?rev=112511&view=rev