From 7872896314a4a0327350f84a09fe3277dd5a7d26 Mon Sep 17 00:00:00 2001
From: Mark Valor <mkvalor@gmail.com>
Date: Thu, 23 Jan 2020 13:42:42 -0800
Subject: [PATCH] Added http cookie valid characters doc

---
 http_cookie_valid_chars | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 http_cookie_valid_chars

diff --git a/http_cookie_valid_chars b/http_cookie_valid_chars
new file mode 100644
index 0000000..7ab381a
--- /dev/null
+++ b/http_cookie_valid_chars
@@ -0,0 +1,22 @@
+In 6265 the cookie name is still specified as an RFC 2616 token, which means
+you can pick from the alphanums plus:
+
+!#$%&'*+-.^_`|~
+
+In the cookie value it formally bans the (filtered by browsers) control
+characters and (inconsistently-implemented) non-ASCII characters. It retains
+cookie_spec's prohibition on space, comma and semicolon, plus for compat-
+ibility with any poor idiots who actually implemented the earlier RFCs it
+also banned backslash and quotes, other than quotes wrapping the whole value
+(but in that case the quotes are still considered part of the value, not an
+encoding scheme). So that leaves you with the alphanums plus:
+
+!#$%&'()*+-./:<=>?@[]^_`{|}~
+
+In the real world we are still using the original-and-worst Netscape
+cookie_spec, so code that consumes cookies should be prepared to encounter
+pretty much anything, but for code that produces cookies it is advisable to
+stick with the subset in RFC 6265.
+
+From an answer by user bobince on
+https://stackoverflow.com/questions/1969232/what-are-allowed-characters-in-cookies