Grid settings cookie value has commas, against RFC6265

The dhtmlxGrid state cookie uses commas in cookie value, but commas are not permitted in cookie values according to RFC6265. We are asking you to consider modifying the format of the grid state cookie value to comply with the specification.

We are using the dhtmlxGrid functions that store grid state in cookie values. That code then creates a cookie with a cookie value that has comma characters. The comma character is one of several characters that aren’t permitted in a cookie value according to RFC 6265. These dhtmlxGrid cookie values caused an exception for us in part of our web application (unrelated to DHTMLX) that uses Microsoft .NET code.

We have been able to work around the issue but wanted to mention it so that you might consider changing the format of the grid state cookie to conform to RFC 6265.

More details:

Using DHTMLX Grid Enterprise v.3.0 build 110707. Saving and loading grid settings into cookies using these functions:


Which results in a browser cookie like this:

gridSettingForGridX=35,474,564,140,115|35,300,*,140,115|2,des||; path=/;

Which is then posted to the server like this:

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: gridSettingForGridX=35,415,608,140,115|35,300,*,140,115|1,asc||
Connection: keep-alive
Cache-Control: max-age=0

In another part of our application, we have Microsoft .NET code acting as an http proxy by making a new web request using all the cookies passed in by the browser. When trying to use DHTMLX grid settings cookies we get a Microsoft .NET exception for such cookie values:

System.Net.CookieException: The 'Value'='35,474,564,140,115|35,300,*,140,115|2,des||' part of the cookie is invalid.
   at System.Net.Cookie.VerifySetDefaults(CookieVariant variant, Uri uri, Boolean isLocalDomain, String localDomain, Boolean set_default, Boolean isThrow)

In our situation we did not need to forward the grid cookies onward so we worked around the problem by excluding any cookies that have cookie values that don’t conform to the specification.

Thank you,
Michael Ferrante

RFC 6265 HTTP State Management Mechanism
Section 4.1.1 Syntax - cookie-octet
Cookie values can be: US-ASCII characters excluding CTLs, whitespace DQUOTE, comma, semicolon, and backslash … g_a_cookie
The value of a cookie may consist of any printable ascii character (! through ~, unicode \u0021 through \u007E) excluding , and ; and excluding whitespace. The name of the cookie also excludes = as that is the delimiter between the name and value.

Problem confirme and will be fixed in the next build.
If you need fix ASAP - please open a ticket in the support system.