Search code examples
javahttpcookies

Java 11 HttpCookie.parse throws IllegalArgumentException when parsing cookies that contain JSON

I have an application runs for more than a year and does something what looks like scraping websites. Now I want to set the cookies that a website returns in their header but since a couple of days it looks like the HttpCookie.parse() method can't parse cookies that contain JSON.

It is so strange that I don't think it can be true but maybe you had this before?

Here is an example:

your_cookie_name={"key":"value","key2":"value2"}; Max-Age=3600; Path=/; Secure; HttpOnly

Java does the following thing:

1. HttpCookie.parse("your_cookie_name={"key":"value","key2":"value2"}; Max-Age=3600; Path=/; Secure; HttpOnly")

Then:

2. HttpCookie.splitMultiCookies("your_cookie_name={"key":"value","key2":"value2"}; Max-Age=3600; Path=/; Secure; HttpOnly").

But this results in a list of 2 cookies:

enter image description here

Then it will try to parse each cookie and it fails on the second since it does not contain an = sign:

3. HttpCookie.parseInternal(""key2":"value2"}; Max-Age=3600; Path=/; Secure; HttpOnly")

enter image description here

But I actually can not believe it can't parse cookies that contain JSON. Can you help me? Is there a setting or something?

Solution

  • The problem is that the cookie value does not conform to the official cookie syntax. RFC 6256 states that a cookie-value consists of

    *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )

    where cookie-octet is:

    US-ASCII characters excluding CTLs, whitespace, DQUOTE, comma,
semicolon, and backslash

    and CTLs refers to ASCII control characters, and DQUOTE is the ASCII double quote character (").

    Your JSON contains double quotes and commas. That causes the cookie to be rejected by the parse method.

    If you want to pass arbitrary JSON in cookies, then you need to do something to "hide" any characters that are not allowed:

    • If the JSON is encoded as ASCII, you could use percent encoding or base64 encoding.
    • If the JSON is encoded in UTF8, then base64 is the advisable.

    Also, beware that there can be limits on the size of a cookie (including name, value and attributes.)