Should cookie values be URL encoded?

by

Yes. While it’s not required per the spec, the following is mentioned in RFC6265 (emphasis is in the original document, not added)

To maximize compatibility with user agents, servers that wish to
store arbitrary data in a cookie-value SHOULD encode that data, for
example, using Base64 [RFC4648].

In my experience, most web frameworks and libraries for cookies have methods for encoding/decoding cookie values. In many cases, esp. in frameworks and high-level languages, this is abstracted away and done automatically.

This answer provides a fairly detailed account of the history behind the values allowed in cookies. Might be of interest to you.

More Related Contents:

  1. Share cookie between subdomain and domain
  2. How do browser cookie domains work?
  3. How to detect server-side whether cookies are disabled
  4. Why is it common to put CSRF prevention tokens in cookies?
  5. How to handle multiple cookies with the same name?
  6. Correct way to delete cookies server-side
  7. Cookie handling in Google Apps Script – How to send cookies in header?
  8. Why can’t I set a cookie and redirect?
  9. How are cookies passed in the HTTP protocol?
  10. How do I create a persistent vs a non-persistent cookie?
  11. Save cookies between two curl requests
  12. How does cookie “Secure” flag work?
  13. Domain set cookie for subdomain
  14. Share cookies between subdomain and domain
  15. Share a cookie between two websites
  16. Reading cookies via HTTPS that were set using HTTP
  17. Sending browser cookies during a 302 redirect
  18. What is the difference between server side cookie and client side cookie?
  19. Is a URL with // in the path-section valid?
  20. Is it possible to set more than one cookie with a single Set-Cookie?
  21. Can I read the hash portion of the URL on my server-side application (PHP, Ruby, Python, etc.)?
  22. What is the difference between POST and GET? [duplicate]
  23. Is there any downside for using a leading double slash to inherit the protocol in a URL? i.e. src=”//domain.com”
  24. Difference between Pragma and Cache-Control headers?
  25. How to catch exception correctly from http.request()?
  26. URL without “http|https”
  27. Angular2 OPTIONS method sent when asking for http.GET [duplicate]
  28. What is the highest number of threads that is reasonable to simultaneously run in Jmeter?
  29. HTTP Cache Control max-age, must-revalidate
  30. How do I make an HTTP request from Rust?

Leave a Comment