local cookie = require "resty.http_cookie"
local coo = cookie:new()

coo:set({key="test",value="test value"})

next request ,i use coo:get("test") ,it will return "test" not "test value";

        if state == EXPECT_KEY then
            if byte(text_cookie, j) == EQUAL then
                key = sub(text_cookie, i, j - 1)
                state = EXPECT_VALUE
                i = j + 1
            end
        elseif state == EXPECT_VALUE then
            if byte(text_cookie, j) == SEMICOLON
                    --this is the reason code,it use SPACE OR HTAB as a separator,why?
                    or byte(text_cookie, j) == SPACE
                    or byte(text_cookie, j) == HTAB
            then
                value = sub(text_cookie, i, j - 1)
                cookie_table[key] = value
                cnt = cnt + 1
            end
                key, value = nil, nil
                state = EXPECT_SP
                i = j + 1
            end
        elseif state == EXPECT_SP then

Hi,

I am getting the following error when trying to set a new cookie:
failed to run body_filter_by_lua*: /usr/local/share/lua/5.1/resty/cookie.lua:164: bad argument #1 to 'clear_tab' (table expected, got nil)

My code:

return cookie:set({
        key = "Name",
        value = "Bob",
        path = "/",
        domain = "domain.com",
        secure = false, httponly = true,
        expires = "Wed, 09 Jun 2021 10:18:14 GMT",
        max_age = 50,
        samesite = "Strict",
        extension = "a4334aebaec"
    })

Thank you for your help

Hi, is there a way to set a License on this repo? as to remove some ambiguity?
Thanks

Hi there, thank you for this library, I have been using it for years with rock solid reliability.

I'm running into a new issue that has me somewhat baffled, I'm not sure where else to go.

When running "docker build", I'm hitting an error when it comes to installing lua-resty-cookie:

Installing https://luarocks.org/lua-resty-cookie-0.1.0-1.rockspec
Cloning into 'lua-resty-cookie'...
fatal: unable to connect to github.com:
github.com[0: 140.82.112.3]: errno=Connection timed out


Error: Failed cloning git repository.

I'm seeing this problem when working from a DigitalOcean droplet (2 different ones).

Stripped down Dockerfile:

FROM openresty/openresty:bionic

RUN apt-get update

RUN apt-get install git -y

RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-http \
    && /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl \
    && /usr/local/openresty/luajit/bin/luarocks install lua-resty-template \
    && /usr/local/openresty/luajit/bin/luarocks install lua-resty-cookie \
    && /usr/local/openresty/luajit/bin/luarocks install web_sanitize

RUN openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/CN=sni-support-required-for-valid-ssl' -keyout /etc/ssl/resty-auto-ssl-fallback.key -out /etc/ssl/resty-auto-ssl-fallback.crt

ADD ssl /etc/ssl

ADD templates /usr/local/openresty/nginx/html/templates

ADD static /usr/local/openresty/nginx/

ADD blocks /usr/local/openresty/nginx/html/templates

ADD confs /usr/local/openresty/nginx/conf

EXPOSE 8080
ENTRYPOINT ["/usr/local/openresty/nginx/sbin/nginx", "-g", "daemon off;"]

Does anyone have any insight or experience this issue? I woudln't be surprised if this was somehow my fault, but it feels like it popped up out of the blue.

Thanks,

[Edit]:

• I found https://stackoverflow.com/questions/72915782/fatal-unable-to-connect-to-github-com-github-com0-140-82-121-3-errno-opera
• It explains that the problem is due to the git source URL being on the git:// protocol (https://luarocks.org/lua-resty-cookie-0.1.0-1.rockspec)
• Which leads to githubs explanation: https://github.blog/2021-09-01-improving-git-protocol-security-github/

... only users connecting via SSH or git:// are affected. If your Git remotes start with https://, nothing here will affect you

So, is the issue with the git repo URL within the .rockspec file? Or it is something else?

Edit2:

I didn't realize there is an open PR addressing this:

#50

https://opm.openresty.org/

Steps to reproduce:
Run a docker build with the following dockerfile:

FROM kong:2.6.0-alpine
USER root
RUN luarocks install lua-resty-cookie

Error:
Cloning into 'lua-resty-cookie'...
fatal: remote error:
The unauthenticated git protocol on port 9418 is no longer supported.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.

Error: Failed cloning git repository.

Failed parse cookies value with space, should comment out 2 lines (73 74)
-- or byte(text_cookie, j) == SPACE
-- or byte(text_cookie, j) == HTAB

to make it work with space in cookie value

I'm trying to use this library in a reverse proxy that modifies a cookie header before passing the request to the upstream. For example, if an incoming request has this header:

Cookie: a=1; b=2; c=3

I want to parse it, remove b and change the value of a, producing a value like:

a=4; c=3

After that, I use a directive like proxy_set_header Cookie $new_cookies to override the cookies sent to the upstream.

Right now I can't cleanly accomplish this using lua-resty-cookie. I can parse the incoming Cookie header using get_all(), but I have to filter/modify/assemble the resulting cookie myself.

It would be helpful to have API for updating values inside the cookie table, and serializing the table to the format used in a Cookie header. E.g. something like this:

• cookie.update(key, value) -- updates a cookie in the table
• cookie.del(name) -- removes a cookie from the table
• cookie.to_string() -- serializes table as a Cookie header

Would this fit within the scope of this library? Or is this project intended only as a wrapper for Set-Cookie?

Could we please get this package either updated to the latest version on LuaRocks or published to OPM?

Somtimes I failed to get cookie in access_by_lua_file dierective during some requests flow, but I can get cookie by ngx.var[cookie_key].

Is there anyone has this problem with me?

This curl:

curl -b "name3=booboo; name2=hello_Hahabooboo ; username=foofoo" -o zoo1 -v "http://test.com/1.jpg"

breaks the code, the next cookie name starts with a semicolon.

Here is the proposed fix:

--- /usr/local/openresty/lualib/resty/cookie.lua.orig 2017-07-05 17:39:05.660555808 +0000
+++ /usr/local/openresty/lualib/resty/cookie.lua       2017-07-05 18:08:51.604555808 +0000
@@ -41,6 +41,7 @@
     local EXPECT_KEY    = 1
     local EXPECT_VALUE  = 2
     local EXPECT_SP     = 3
+    local EXPECT_SEMI   = 4
 
     local n = 0
     local len = #text_cookie
@@ -74,8 +75,12 @@
                 cookie_table[key] = value
 
                 key, value = nil, nil
-                state = EXPECT_SP
                 i = j + 1
+                              if byte(text_cookie, j) == SEMICOLON then
+                    state = EXPECT_SP
+                              else
+                                  state = EXPECT_SEMI
+                              end
             end
         elseif state == EXPECT_SP then
             if byte(text_cookie, j) ~= SPACE
@@ -85,6 +90,12 @@
                 i = j
                 j = j - 1
             end
+              elseif state == EXPECT_SEMI then
+                  if byte(text_cookie, j) ~= SEMICOLON then
+                  else
+                              state = EXPECT_SP
+                              i = j + 1
+                  end
         end
         j = j + 1
     end

it is not obvious to me the utility for cookie parameter extension
from my understanding it is just something added at the end of cookie value string

am i correct ?

Please check my pull request with examples of bug.

I installed this module via luarocks and was wondering why the "samesite" flag wasn't working until i realised that the version registered with luarocks is 5 years old. Is this intended or was it simply forgotten?

https://luarocks.org/modules/calio/lua-resty-cookie

Because some of my opm packages require this repo.
I know p0pr0ck5/lua-resty-cookie, but it's just a fork.

From master

make test
PATH=/usr/local/openresty/nginx/sbin:$PATH prove -I../test-nginx/lib -r t
t/sanity.t .. 44/72 # Looks like you planned 72 tests but ran 74.
t/sanity.t .. Dubious, test returned 255 (wstat 65280, 0xff00)
All 72 subtests passed 

Test Summary Report
-------------------
t/sanity.t (Wstat: 65280 Tests: 74 Failed: 2)
  Failed tests:  73-74
  Non-zero exit status: 255
  Parse errors: Bad plan.  You planned 72 tests but ran 74.
Files=1, Tests=74,  2 wallclock secs ( 0.04 usr  0.00 sys +  0.38 cusr  0.13 csys =  0.55 CPU)
Result: FAIL
make: *** [Makefile:17: test] Error 1

Using git bisect
a2cb7798133d891510bd37340390314644083da9 is the first bad commit

a2cb779 is the commit adding a test but not updating plan tests

The last PR was over a year ago. There are 10 PRs open and a ton of issues that have been addressed. Is this repo unmanaged now?

Dear experts,

Is there any way to set the cookie before the request is forwarded to the upstream? The main idea is to make sure all the incoming requests can come in with cookie available.

Thanks,

2 weeks ago I started to have errors with cookies.
When I checked cookie attributes, I saw "SameSite" key is always empty.
I tried to use all values ("None", "Strict", "Lax") and the final result is the same, "SameSite" is empty. I modified another key of my cookie at the same time and is was well updated.
Here is my cookie :

local ck, error = cookie:set({
        key = "tmp",
        value  = "xxx",
        domain = '.' .. myDomain,
        path   = "/",
        secure = true,
        httponly = true,
        samesite = "Strict",
        expires = "Thu, 7 Jun 2023 02:02:02 GMT"
    })

Do something changed with the last release ?

From the doc https://github.com/cloudflare/lua-resty-cookie/blob/master/README.md#set, when set cookie with expires time, it need to transfer the time to cookie.time() first which was not same like nginx-sticky-module-ng did. refer https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/overview.

The question was, Do I need to calculate the expires time before set cookie? and does there have any lua module can parse the time like ngx_parse.c did(https://www.cnblogs.com/xiangnan/p/5647115.html).

@agentzh

• did not get Secure?

"Set-Cookie: X_SADG_RouterID=test"
"Set-Cookie: tag=sign-8080; path=/; Secure"

• demo

    local fields, err = cookie:get_all()
    if not fields then
        ngx.log(ngx.ERR, err)
        return
    end

    for k, v in pairs(fields) do
        ngx.log(ngx.ERR, "=============" .. k .. " => ", v)
    end

https://github.com/cloudflare/lua-resty-cookie/blob/master/lib/resty/cookie.lua#L87

I test for many case, if no j = j - 1 , it will work well .

so why should decrease for this ? any special case for cookie ?

thanks .

E.g. Expires, Max-Age, Domain...

Basically, I need the opposite of local function bake(cookie). Parse the cookie string and returns me cookie object.

How can I generate random hash with expire time for cookie in nginx?

Hello. Is it possible to completely delete a cookie?

I've tried cookie:set({key = "jwt",value = nil}) but that does nothing. cookie:set({key = "jwt",value = ""}) does succeed in setting the cookie value to empty, but my goal is to delete the cookie completely.

Thanks!

function _M.toUTCString(self, time)
return os.date("%a, %d %b %Y %H:%I:%S GMT", time)
end

this will be more friendly for users~~~

Instead of setting to Set-Cookie and getting from Cookie, directly modifying the header would be useful for proxy(and WAF).

When I try to set cookie:

2016/07/11 10:44:43 [error] 19243#0: *272 attempt to set ngx.header.HEADER after sending out response headers, client: 5.61.237.205, server: localhost, request:

It would be nice to include your library into the https://luarocks.org/ eco sphere.

When I want Set-Cookie, I got an error, I don't know why, please help me if anybody knows it.

ENV: openresty

here is my code

The Synopsis example in README.md is not a valid nginx config file, right? The Lua code there should be wrapped in content_by_lua. I don't mind doing a PR, I just wanted to make sure I was correct before doing so...

cookie = ck:new()
cookie:set({key = "aa", value = "vaa"})
cookie:set({key = "bb", value = "vbb"})

next time I using the cookie to using cookie:get("aa"), it return "vaa,", not just "vaa"

The code is limiting the possible values of samesite attribute to either 'Strict' or 'Lax'.
however there is another possible value: none.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_cookies

Assume that the client's cookie is
Hm_lvt_ff7f6fcad4e6116760e7b632f9614dc2=1583134761; Hm_lvt_137ae1af30761db81edff2e16f0bf0f8=1583134761; Hm_lpvt_ff7f6fcad4e6116760e7b632f9614dc2=1583309076 Hm_lpvt_137ae1af30761db81edff2e16f0bf0f8=<img src=x onerror=alert(1)>

Then get the following:
{"Hm_lvt_ff7f6fcad4e6116760e7b632f9614dc2":"1583134761","onerror":"alert(1)>","Hm_lvt_137ae1af30761db81edff2e16f0bf0f8":"1583134761","Hm_lpvt_137ae1af30761db81edff2e16f0bf0f8":"<img","Hm_lpvt_ff7f6fcad4e6116760e7b632f9614dc2":"1583309076","src":"x"}

This confused me. I also plan to modify some of your code logic

Hello.

If I try to set cookie for different domain, it does not work.

For example I go to site.corp.com and I want to set cookie to this session, but for different domain. For example to site.bank.net.

Is it possible?