Comment 1 for bug 142226

Its a little unclear why this is a bug, so I'll expound upon it some.

The quotes are added in the _cookie_list() function from
ZPublisher/HTTPResponse.py. The quotes themselves aren't a bug,
quoted strings are allowed if we are to believe RFC 2965 or 2109
(although not all bother to do so), nor do they interfere with the
infamously half-assed Nestcape Cookie specification. The problem is
that adding quotes without doing any further encoding on the cookie
value is a worthless gesture, and no further encoding is done, values
are passed completely raw.

Passing everything raw, leaving the setCookie methods a somewhat thin
conceptual wrapper around setHeader, means that author must do their
own encoding and decoding to ensure semicolons (and other special
characters) in the cookie value are properly translated. Adding
quotes the way ZPublisher does also means the author be must aware of
this and be sure to include quotes in list of 'special characters'
that require encoding, otherwise the regex in HTTPRequest.py is sure
to mangle that cookie if the browser doesn't. That the API
documentation doesn't mention any of this is rather suboptimal if
authors are expected to write robust code.

It could be said that if the author must already do all this work
preparing their data for transport, then there really isn't much merit
in giving them the quotes for "free." Alternatively setCookie could
generate a just header thats valid automatically without the author
having to do the hard part. Figuring out what 'valid' is these days,
given the rather sizable gap between the published standards and
current practices, should be entertaining.

Suffice it to say the cookie hooks and the documentation need work.