base64 cookies

The answer is they are URL-encoded, or not. It’s up to the server, as cookie values are opaque ASCII values (see RFC 2965). The server just has to encode it the same way it wants to receive the value; the client does not do anything with the value. I’ve only seen servers encoding into UTF-8 and escaping the values (with, for example, escape or encodeURIComponent).

But yea, this module could certainly base64-encode the values or URL-encode the values, as long as it decodes them in the same way 😄

@dougwilson I did some additional research. RFC2109 specifies this grammar:

 The two state management headers, Set-Cookie and Cookie, have common
 syntactic properties involving attribute-value pairs.  The following
 grammar uses the notation, and tokens DIGIT (decimal digits) and
 token (informally, a sequence of non-special, non-white space
 characters) from the HTTP/1.1 specification [RFC 2068] to describe
 their syntax.

 av-pairs        =       av-pair *(";" av-pair)
 av-pair         =       attr ["=" value]        ; optional value
 attr            =       token
 value           =       word
 word            =       token | quoted-string

You’ll note it calls out “token” as from HTTP/1.1, which states this:

      token          = 1*<any CHAR except CTLs or tspecials>

      tspecials      = "(" | ")" | "<" | ">" | "@"
                     | "," | ";" | ":" | "\" | <">
                     | "/" | "[" | "]" | "?" | "="
                     | "{" | "}" | SP | HT

Therefore base64-encoded values when they include “=” need to be quoted strings or URL-encoded. I would recommend always using quoted-strings as that seems like it should always work for a conforming client.