1 // Copyright 2010 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
19 var writeSetCookiesTests
= []struct {
24 &Cookie
{Name
: "cookie-1", Value
: "v$1"},
28 &Cookie
{Name
: "cookie-2", Value
: "two", MaxAge
: 3600},
29 "cookie-2=two; Max-Age=3600",
32 &Cookie
{Name
: "cookie-3", Value
: "three", Domain
: ".example.com"},
33 "cookie-3=three; Domain=example.com",
36 &Cookie
{Name
: "cookie-4", Value
: "four", Path
: "/restricted/"},
37 "cookie-4=four; Path=/restricted/",
40 &Cookie
{Name
: "cookie-5", Value
: "five", Domain
: "wrong;bad.abc"},
44 &Cookie
{Name
: "cookie-6", Value
: "six", Domain
: "bad-.abc"},
48 &Cookie
{Name
: "cookie-7", Value
: "seven", Domain
: "127.0.0.1"},
49 "cookie-7=seven; Domain=127.0.0.1",
52 &Cookie
{Name
: "cookie-8", Value
: "eight", Domain
: "::1"},
56 &Cookie
{Name
: "cookie-9", Value
: "expiring", Expires
: time
.Unix(1257894000, 0)},
57 "cookie-9=expiring; Expires=Tue, 10 Nov 2009 23:00:00 GMT",
59 // According to IETF 6265 Section 5.1.1.5, the year cannot be less than 1601
61 &Cookie
{Name
: "cookie-10", Value
: "expiring-1601", Expires
: time
.Date(1601, 1, 1, 1, 1, 1, 1, time
.UTC
)},
62 "cookie-10=expiring-1601; Expires=Mon, 01 Jan 1601 01:01:01 GMT",
65 &Cookie
{Name
: "cookie-11", Value
: "invalid-expiry", Expires
: time
.Date(1600, 1, 1, 1, 1, 1, 1, time
.UTC
)},
66 "cookie-11=invalid-expiry",
69 &Cookie
{Name
: "cookie-12", Value
: "samesite-default", SameSite
: SameSiteDefaultMode
},
70 "cookie-12=samesite-default",
73 &Cookie
{Name
: "cookie-13", Value
: "samesite-lax", SameSite
: SameSiteLaxMode
},
74 "cookie-13=samesite-lax; SameSite=Lax",
77 &Cookie
{Name
: "cookie-14", Value
: "samesite-strict", SameSite
: SameSiteStrictMode
},
78 "cookie-14=samesite-strict; SameSite=Strict",
81 &Cookie
{Name
: "cookie-15", Value
: "samesite-none", SameSite
: SameSiteNoneMode
},
82 "cookie-15=samesite-none; SameSite=None",
84 // The "special" cookies have values containing commas or spaces which
85 // are disallowed by RFC 6265 but are common in the wild.
87 &Cookie
{Name
: "special-1", Value
: "a z"},
91 &Cookie
{Name
: "special-2", Value
: " z"},
95 &Cookie
{Name
: "special-3", Value
: "a "},
99 &Cookie
{Name
: "special-4", Value
: " "},
103 &Cookie
{Name
: "special-5", Value
: "a,z"},
107 &Cookie
{Name
: "special-6", Value
: ",z"},
111 &Cookie
{Name
: "special-7", Value
: "a,"},
115 &Cookie
{Name
: "special-8", Value
: ","},
119 &Cookie
{Name
: "empty-value", Value
: ""},
139 &Cookie
{Name
: "a\nb", Value
: "v"},
143 &Cookie
{Name
: "a\nb", Value
: "v"},
147 &Cookie
{Name
: "a\rb", Value
: "v"},
152 func TestWriteSetCookies(t
*testing
.T
) {
153 defer log
.SetOutput(os
.Stderr
)
154 var logbuf bytes
.Buffer
155 log
.SetOutput(&logbuf
)
157 for i
, tt
:= range writeSetCookiesTests
{
158 if g
, e
:= tt
.Cookie
.String(), tt
.Raw
; g
!= e
{
159 t
.Errorf("Test %d, expecting:\n%s\nGot:\n%s\n", i
, e
, g
)
164 if got
, sub
:= logbuf
.String(), "dropping domain attribute"; !strings
.Contains(got
, sub
) {
165 t
.Errorf("Expected substring %q in log output. Got:\n%s", sub
, got
)
169 type headerOnlyResponseWriter Header
171 func (ho headerOnlyResponseWriter
) Header() Header
{
175 func (ho headerOnlyResponseWriter
) Write([]byte) (int, error
) {
179 func (ho headerOnlyResponseWriter
) WriteHeader(int) {
183 func TestSetCookie(t
*testing
.T
) {
185 SetCookie(headerOnlyResponseWriter(m
), &Cookie
{Name
: "cookie-1", Value
: "one", Path
: "/restricted/"})
186 SetCookie(headerOnlyResponseWriter(m
), &Cookie
{Name
: "cookie-2", Value
: "two", MaxAge
: 3600})
187 if l
:= len(m
["Set-Cookie"]); l
!= 2 {
188 t
.Fatalf("expected %d cookies, got %d", 2, l
)
190 if g
, e
:= m
["Set-Cookie"][0], "cookie-1=one; Path=/restricted/"; g
!= e
{
191 t
.Errorf("cookie #1: want %q, got %q", e
, g
)
193 if g
, e
:= m
["Set-Cookie"][1], "cookie-2=two; Max-Age=3600"; g
!= e
{
194 t
.Errorf("cookie #2: want %q, got %q", e
, g
)
198 var addCookieTests
= []struct {
207 []*Cookie
{{Name
: "cookie-1", Value
: "v$1"}},
212 {Name
: "cookie-1", Value
: "v$1"},
213 {Name
: "cookie-2", Value
: "v$2"},
214 {Name
: "cookie-3", Value
: "v$3"},
216 "cookie-1=v$1; cookie-2=v$2; cookie-3=v$3",
220 func TestAddCookie(t
*testing
.T
) {
221 for i
, tt
:= range addCookieTests
{
222 req
, _
:= NewRequest("GET", "http://example.com/", nil)
223 for _
, c
:= range tt
.Cookies
{
226 if g
:= req
.Header
.Get("Cookie"); g
!= tt
.Raw
{
227 t
.Errorf("Test %d:\nwant: %s\n got: %s\n", i
, tt
.Raw
, g
)
233 var readSetCookiesTests
= []struct {
238 Header
{"Set-Cookie": {"Cookie-1=v$1"}},
239 []*Cookie
{{Name
: "Cookie-1", Value
: "v$1", Raw
: "Cookie-1=v$1"}},
242 Header
{"Set-Cookie": {"NID=99=YsDT5i3E-CXax-; expires=Wed, 23-Nov-2011 01:05:03 GMT; path=/; domain=.google.ch; HttpOnly"}},
245 Value
: "99=YsDT5i3E-CXax-",
247 Domain
: ".google.ch",
249 Expires
: time
.Date(2011, 11, 23, 1, 5, 3, 0, time
.UTC
),
250 RawExpires
: "Wed, 23-Nov-2011 01:05:03 GMT",
251 Raw
: "NID=99=YsDT5i3E-CXax-; expires=Wed, 23-Nov-2011 01:05:03 GMT; path=/; domain=.google.ch; HttpOnly",
255 Header
{"Set-Cookie": {".ASPXAUTH=7E3AA; expires=Wed, 07-Mar-2012 14:25:06 GMT; path=/; HttpOnly"}},
260 Expires
: time
.Date(2012, 3, 7, 14, 25, 6, 0, time
.UTC
),
261 RawExpires
: "Wed, 07-Mar-2012 14:25:06 GMT",
263 Raw
: ".ASPXAUTH=7E3AA; expires=Wed, 07-Mar-2012 14:25:06 GMT; path=/; HttpOnly",
267 Header
{"Set-Cookie": {"ASP.NET_SessionId=foo; path=/; HttpOnly"}},
269 Name
: "ASP.NET_SessionId",
273 Raw
: "ASP.NET_SessionId=foo; path=/; HttpOnly",
277 Header
{"Set-Cookie": {"samesitedefault=foo; SameSite"}},
279 Name
: "samesitedefault",
281 SameSite
: SameSiteDefaultMode
,
282 Raw
: "samesitedefault=foo; SameSite",
286 Header
{"Set-Cookie": {"samesiteinvalidisdefault=foo; SameSite=invalid"}},
288 Name
: "samesiteinvalidisdefault",
290 SameSite
: SameSiteDefaultMode
,
291 Raw
: "samesiteinvalidisdefault=foo; SameSite=invalid",
295 Header
{"Set-Cookie": {"samesitelax=foo; SameSite=Lax"}},
299 SameSite
: SameSiteLaxMode
,
300 Raw
: "samesitelax=foo; SameSite=Lax",
304 Header
{"Set-Cookie": {"samesitestrict=foo; SameSite=Strict"}},
306 Name
: "samesitestrict",
308 SameSite
: SameSiteStrictMode
,
309 Raw
: "samesitestrict=foo; SameSite=Strict",
313 Header
{"Set-Cookie": {"samesitenone=foo; SameSite=None"}},
315 Name
: "samesitenone",
317 SameSite
: SameSiteNoneMode
,
318 Raw
: "samesitenone=foo; SameSite=None",
321 // Make sure we can properly read back the Set-Cookie headers we create
322 // for values containing spaces or commas:
324 Header
{"Set-Cookie": {`special-1=a z`}},
325 []*Cookie
{{Name
: "special-1", Value
: "a z", Raw
: `special-1=a z`}},
328 Header
{"Set-Cookie": {`special-2=" z"`}},
329 []*Cookie
{{Name
: "special-2", Value
: " z", Raw
: `special-2=" z"`}},
332 Header
{"Set-Cookie": {`special-3="a "`}},
333 []*Cookie
{{Name
: "special-3", Value
: "a ", Raw
: `special-3="a "`}},
336 Header
{"Set-Cookie": {`special-4=" "`}},
337 []*Cookie
{{Name
: "special-4", Value
: " ", Raw
: `special-4=" "`}},
340 Header
{"Set-Cookie": {`special-5=a,z`}},
341 []*Cookie
{{Name
: "special-5", Value
: "a,z", Raw
: `special-5=a,z`}},
344 Header
{"Set-Cookie": {`special-6=",z"`}},
345 []*Cookie
{{Name
: "special-6", Value
: ",z", Raw
: `special-6=",z"`}},
348 Header
{"Set-Cookie": {`special-7=a,`}},
349 []*Cookie
{{Name
: "special-7", Value
: "a,", Raw
: `special-7=a,`}},
352 Header
{"Set-Cookie": {`special-8=","`}},
353 []*Cookie
{{Name
: "special-8", Value
: ",", Raw
: `special-8=","`}},
356 // TODO(bradfitz): users have reported seeing this in the
357 // wild, but do browsers handle it? RFC 6265 just says "don't
358 // do that" (section 3) and then never mentions header folding
360 // Header{"Set-Cookie": {"ASP.NET_SessionId=foo; path=/; HttpOnly, .ASPXAUTH=7E3AA; expires=Wed, 07-Mar-2012 14:25:06 GMT; path=/; HttpOnly"}},
363 func toJSON(v any
) string {
364 b
, err
:= json
.Marshal(v
)
366 return fmt
.Sprintf("%#v", v
)
371 func TestReadSetCookies(t
*testing
.T
) {
372 for i
, tt
:= range readSetCookiesTests
{
373 for n
:= 0; n
< 2; n
++ { // to verify readSetCookies doesn't mutate its input
374 c
:= readSetCookies(tt
.Header
)
375 if !reflect
.DeepEqual(c
, tt
.Cookies
) {
376 t
.Errorf("#%d readSetCookies: have\n%s\nwant\n%s\n", i
, toJSON(c
), toJSON(tt
.Cookies
))
383 var readCookiesTests
= []struct {
389 Header
{"Cookie": {"Cookie-1=v$1", "c2=v2"}},
392 {Name
: "Cookie-1", Value
: "v$1"},
393 {Name
: "c2", Value
: "v2"},
397 Header
{"Cookie": {"Cookie-1=v$1", "c2=v2"}},
400 {Name
: "c2", Value
: "v2"},
404 Header
{"Cookie": {"Cookie-1=v$1; c2=v2"}},
407 {Name
: "Cookie-1", Value
: "v$1"},
408 {Name
: "c2", Value
: "v2"},
412 Header
{"Cookie": {"Cookie-1=v$1; c2=v2"}},
415 {Name
: "c2", Value
: "v2"},
419 Header
{"Cookie": {`Cookie-1="v$1"; c2="v2"`}},
422 {Name
: "Cookie-1", Value
: "v$1"},
423 {Name
: "c2", Value
: "v2"},
427 Header
{"Cookie": {`Cookie-1="v$1"; c2=v2;`}},
430 {Name
: "Cookie-1", Value
: "v$1"},
431 {Name
: "c2", Value
: "v2"},
435 Header
{"Cookie": {``}},
441 func TestReadCookies(t
*testing
.T
) {
442 for i
, tt
:= range readCookiesTests
{
443 for n
:= 0; n
< 2; n
++ { // to verify readCookies doesn't mutate its input
444 c
:= readCookies(tt
.Header
, tt
.Filter
)
445 if !reflect
.DeepEqual(c
, tt
.Cookies
) {
446 t
.Errorf("#%d readCookies:\nhave: %s\nwant: %s\n", i
, toJSON(c
), toJSON(tt
.Cookies
))
453 func TestSetCookieDoubleQuotes(t
*testing
.T
) {
454 res
:= &Response
{Header
: Header
{}}
455 res
.Header
.Add("Set-Cookie", `quoted0=none; max-age=30`)
456 res
.Header
.Add("Set-Cookie", `quoted1="cookieValue"; max-age=31`)
457 res
.Header
.Add("Set-Cookie", `quoted2=cookieAV; max-age="32"`)
458 res
.Header
.Add("Set-Cookie", `quoted3="both"; max-age="33"`)
461 {Name
: "quoted0", Value
: "none", MaxAge
: 30},
462 {Name
: "quoted1", Value
: "cookieValue", MaxAge
: 31},
463 {Name
: "quoted2", Value
: "cookieAV"},
464 {Name
: "quoted3", Value
: "both"},
466 if len(got
) != len(want
) {
467 t
.Fatalf("got %d cookies, want %d", len(got
), len(want
))
469 for i
, w
:= range want
{
471 if g
.Name
!= w
.Name || g
.Value
!= w
.Value || g
.MaxAge
!= w
.MaxAge
{
472 t
.Errorf("cookie #%d:\ngot %v\nwant %v", i
, g
, w
)
477 func TestCookieSanitizeValue(t
*testing
.T
) {
478 defer log
.SetOutput(os
.Stderr
)
479 var logbuf bytes
.Buffer
480 log
.SetOutput(&logbuf
)
486 {"foo;bar", "foobar"},
487 {"foo\\bar", "foobar"},
488 {"foo\"bar", "foobar"},
489 {"\x00\x7e\x7f\x80", "\x7e"},
490 {`"withquotes"`, "withquotes"},
498 for _
, tt
:= range tests
{
499 if got
:= sanitizeCookieValue(tt
.in
); got
!= tt
.want
{
500 t
.Errorf("sanitizeCookieValue(%q) = %q; want %q", tt
.in
, got
, tt
.want
)
504 if got
, sub
:= logbuf
.String(), "dropping invalid bytes"; !strings
.Contains(got
, sub
) {
505 t
.Errorf("Expected substring %q in log output. Got:\n%s", sub
, got
)
509 func TestCookieSanitizePath(t
*testing
.T
) {
510 defer log
.SetOutput(os
.Stderr
)
511 var logbuf bytes
.Buffer
512 log
.SetOutput(&logbuf
)
518 {"/path with space/", "/path with space/"},
519 {"/just;no;semicolon\x00orstuff/", "/justnosemicolonorstuff/"},
521 for _
, tt
:= range tests
{
522 if got
:= sanitizeCookiePath(tt
.in
); got
!= tt
.want
{
523 t
.Errorf("sanitizeCookiePath(%q) = %q; want %q", tt
.in
, got
, tt
.want
)
527 if got
, sub
:= logbuf
.String(), "dropping invalid bytes"; !strings
.Contains(got
, sub
) {
528 t
.Errorf("Expected substring %q in log output. Got:\n%s", sub
, got
)
532 func TestCookieValid(t
*testing
.T
) {
538 {&Cookie
{Name
: ""}, false},
539 {&Cookie
{Name
: "invalid-expires"}, false},
540 {&Cookie
{Name
: "invalid-value", Value
: "foo\"bar"}, false},
541 {&Cookie
{Name
: "invalid-path", Path
: "/foo;bar/"}, false},
542 {&Cookie
{Name
: "invalid-domain", Domain
: "example.com:80"}, false},
543 {&Cookie
{Name
: "valid", Value
: "foo", Path
: "/bar", Domain
: "example.com", Expires
: time
.Unix(0, 0)}, true},
546 for _
, tt
:= range tests
{
547 err
:= tt
.cookie
.Valid()
548 if err
!= nil && tt
.valid
{
549 t
.Errorf("%#v.Valid() returned error %v; want nil", tt
.cookie
, err
)
551 if err
== nil && !tt
.valid
{
552 t
.Errorf("%#v.Valid() returned nil; want error", tt
.cookie
)
557 func BenchmarkCookieString(b
*testing
.B
) {
558 const wantCookieString
= `cookie-9=i3e01nf61b6t23bvfmplnanol3; Path=/restricted/; Domain=example.com; Expires=Tue, 10 Nov 2009 23:00:00 GMT; Max-Age=3600`
561 Value
: "i3e01nf61b6t23bvfmplnanol3",
562 Expires
: time
.Unix(1257894000, 0),
563 Path
: "/restricted/",
564 Domain
: ".example.com",
567 var benchmarkCookieString
string
570 for i
:= 0; i
< b
.N
; i
++ {
571 benchmarkCookieString
= c
.String()
573 if have
, want
:= benchmarkCookieString
, wantCookieString
; have
!= want
{
574 b
.Fatalf("Have: %v Want: %v", have
, want
)
578 func BenchmarkReadSetCookies(b
*testing
.B
) {
581 "NID=99=YsDT5i3E-CXax-; expires=Wed, 23-Nov-2011 01:05:03 GMT; path=/; domain=.google.ch; HttpOnly",
582 ".ASPXAUTH=7E3AA; expires=Wed, 07-Mar-2012 14:25:06 GMT; path=/; HttpOnly",
585 wantCookies
:= []*Cookie
{
588 Value
: "99=YsDT5i3E-CXax-",
590 Domain
: ".google.ch",
592 Expires
: time
.Date(2011, 11, 23, 1, 5, 3, 0, time
.UTC
),
593 RawExpires
: "Wed, 23-Nov-2011 01:05:03 GMT",
594 Raw
: "NID=99=YsDT5i3E-CXax-; expires=Wed, 23-Nov-2011 01:05:03 GMT; path=/; domain=.google.ch; HttpOnly",
600 Expires
: time
.Date(2012, 3, 7, 14, 25, 6, 0, time
.UTC
),
601 RawExpires
: "Wed, 07-Mar-2012 14:25:06 GMT",
603 Raw
: ".ASPXAUTH=7E3AA; expires=Wed, 07-Mar-2012 14:25:06 GMT; path=/; HttpOnly",
609 for i
:= 0; i
< b
.N
; i
++ {
610 c
= readSetCookies(header
)
612 if !reflect
.DeepEqual(c
, wantCookies
) {
613 b
.Fatalf("readSetCookies:\nhave: %s\nwant: %s\n", toJSON(c
), toJSON(wantCookies
))
617 func BenchmarkReadCookies(b
*testing
.B
) {
620 `de=; client_region=0; rpld1=0:hispeed.ch|20:che|21:zh|22:zurich|23:47.36|24:8.53|; rpld0=1:08|; backplane-channel=newspaper.com:1471; devicetype=0; osfam=0; rplmct=2; s_pers=%20s_vmonthnum%3D1472680800496%2526vn%253D1%7C1472680800496%3B%20s_nr%3D1471686767664-New%7C1474278767664%3B%20s_lv%3D1471686767669%7C1566294767669%3B%20s_lv_s%3DFirst%2520Visit%7C1471688567669%3B%20s_monthinvisit%3Dtrue%7C1471688567677%3B%20gvp_p5%3Dsports%253Ablog%253Aearly-lead%2520-%2520184693%2520-%252020160820%2520-%2520u-s%7C1471688567681%3B%20gvp_p51%3Dwp%2520-%2520sports%7C1471688567684%3B; s_sess=%20s_wp_ep%3Dhomepage%3B%20s._ref%3Dhttps%253A%252F%252Fwww.google.ch%252F%3B%20s_cc%3Dtrue%3B%20s_ppvl%3Dsports%25253Ablog%25253Aearly-lead%252520-%252520184693%252520-%25252020160820%252520-%252520u-lawyer%252C12%252C12%252C502%252C1231%252C502%252C1680%252C1050%252C2%252CP%3B%20s_ppv%3Dsports%25253Ablog%25253Aearly-lead%252520-%252520184693%252520-%25252020160820%252520-%252520u-s-lawyer%252C12%252C12%252C502%252C1231%252C502%252C1680%252C1050%252C2%252CP%3B%20s_dslv%3DFirst%2520Visit%3B%20s_sq%3Dwpninewspapercom%253D%252526pid%25253Dsports%2525253Ablog%2525253Aearly-lead%25252520-%25252520184693%25252520-%2525252020160820%25252520-%25252520u-s%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.newspaper.com%2525252F%2525253Fnid%2525253Dmenu_nav_homepage%252526ot%25253DA%3B`,
623 wantCookies
:= []*Cookie
{
624 {Name
: "de", Value
: ""},
625 {Name
: "client_region", Value
: "0"},
626 {Name
: "rpld1", Value
: "0:hispeed.ch|20:che|21:zh|22:zurich|23:47.36|24:8.53|"},
627 {Name
: "rpld0", Value
: "1:08|"},
628 {Name
: "backplane-channel", Value
: "newspaper.com:1471"},
629 {Name
: "devicetype", Value
: "0"},
630 {Name
: "osfam", Value
: "0"},
631 {Name
: "rplmct", Value
: "2"},
632 {Name
: "s_pers", Value
: "%20s_vmonthnum%3D1472680800496%2526vn%253D1%7C1472680800496%3B%20s_nr%3D1471686767664-New%7C1474278767664%3B%20s_lv%3D1471686767669%7C1566294767669%3B%20s_lv_s%3DFirst%2520Visit%7C1471688567669%3B%20s_monthinvisit%3Dtrue%7C1471688567677%3B%20gvp_p5%3Dsports%253Ablog%253Aearly-lead%2520-%2520184693%2520-%252020160820%2520-%2520u-s%7C1471688567681%3B%20gvp_p51%3Dwp%2520-%2520sports%7C1471688567684%3B"},
633 {Name
: "s_sess", Value
: "%20s_wp_ep%3Dhomepage%3B%20s._ref%3Dhttps%253A%252F%252Fwww.google.ch%252F%3B%20s_cc%3Dtrue%3B%20s_ppvl%3Dsports%25253Ablog%25253Aearly-lead%252520-%252520184693%252520-%25252020160820%252520-%252520u-lawyer%252C12%252C12%252C502%252C1231%252C502%252C1680%252C1050%252C2%252CP%3B%20s_ppv%3Dsports%25253Ablog%25253Aearly-lead%252520-%252520184693%252520-%25252020160820%252520-%252520u-s-lawyer%252C12%252C12%252C502%252C1231%252C502%252C1680%252C1050%252C2%252CP%3B%20s_dslv%3DFirst%2520Visit%3B%20s_sq%3Dwpninewspapercom%253D%252526pid%25253Dsports%2525253Ablog%2525253Aearly-lead%25252520-%25252520184693%25252520-%2525252020160820%25252520-%25252520u-s%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.newspaper.com%2525252F%2525253Fnid%2525253Dmenu_nav_homepage%252526ot%25253DA%3B"},
638 for i
:= 0; i
< b
.N
; i
++ {
639 c
= readCookies(header
, "")
641 if !reflect
.DeepEqual(c
, wantCookies
) {
642 b
.Fatalf("readCookies:\nhave: %s\nwant: %s\n", toJSON(c
), toJSON(wantCookies
))