This project is read-only.
1
Vote

CookieHeaderValue can't parse cookie from expiration

description

The format generated by System.Web.HttpCookie when formated is non-standard, a mix between RFC1123 and RFC850 (At least as of .NET Framework 4.6.1)

The exact format string used is "ddd, dd-MMM-yyyy HH':'mm':'ss 'GMT'" as seen here

This doesn't quite match RFC1123 which is "ddd, d MMM yyyy H:m:s 'GMT'" as it uses dashes between the day, month, and year instead of spaces, but doesn't quite match RFC850 which is "dddd, d'-'MMM'-'yy H:m:s 'GMT'" as it uses a short day of the week instead of a longer form.

The CookieHeaderValue.TryParse ultimately calls the internal FormattingUtilities.TryParseDate which uses a list of allowable date formats, however the one used by HttpCookie listed above isn't one of them.

Also according to RFC6265
If the attribute-value failed to parse as a cookie date, ignore the cookie-av.
Meaning, If for any reason the cookie fails to parse the date, it should just ignore this value, however the code fails to parse the entire cookie instead.

comments