Cookie parsing failes on empty cookie values

Jan 7, 2010 at 8:38 PM

In the RequestCookies instructor, there is a case (last cookie value is empty and is not terminated by a semi-colon) where cookie values can cause an uncaught exception and will cause the request parsing to fail.

Here is an example HTTP request header that can reproduce this:

Cookie: param=value; param2=

A quick fix is to update the last cookie logic to handle the start = -1 case:

  // last cookie
if (name != string.Empty)
    Add(new RequestCookie(name, start == -1 || start >= cookies.Length ? string.Empty : cookies.Substring(start, cookies.Length - start)));

Similarly, RequestCookies.Add(cookie) has an interesting bit of code that intentionally throws an exception for cookies with empty values:

if (cookie.Value == null || cookie.Value.Trim() == string.Empty)
    throw new ArgumentException("Content must be specified.");

As far as I know, the above request header (cookie values) should not cause the entire request to be rejected (nor any exceptions to be thrown).