bug: APISIX Core Cookie Parser Fails with Spaces or Quoted Values in Cookie Header

[nagarajusunkara]

Current Behavior

Bug Description

The Lua-based cookie parser in APISIX fails to handle certain valid cookie formats, specifically when cookie values contain spaces or are quoted (e.g., "foo bar"), or when there are spaces around =. Instead of correctly associating the entire value with the key, the parser truncates values or incorrectly creates extra keys from portions of the value after a space. This leads to data loss and misinterpretation of client state.

How to Reproduce

Send a request to APISIX with a Cookie header like:

Cookie: session="foo bar baz"; locale = en US ; foo = spaced out ; badflag;

Use any Lua plugin or code that retrieves cookies using the built-in parser (e.g., cookie:get_all() or cookie:get()).
https://github.com/apache/apisix/blob/master/apisix/core/ctx.lua#L288

Observe the parsed result, which may look like:

{
  session: '"foo',
  bar baz: (missing or empty),
  locale: 'en',
  US: (missing or empty),
  foo: 'spaced',
  out: (missing or empty),
  badflag: (empty or true)
}

Instead of:

{
  session: 'foo bar baz',
  locale: 'en US',
  foo: 'spaced out',
  badflag: ''
}

Minimal Reproducible Example

local cookie_str = 'session="foo bar baz"; locale = en US ; foo = spaced out ;'
local cookies = parse_cookies(cookie_str) -- using built-in or naive parser
-- cookies["session"] == '"foo'
-- cookies["bar baz"] == nil
-- cookies["locale"] == 'en'
-- cookies["US"] == nil
-- cookies["foo"] == 'spaced'
-- cookies["out"] == nil

Additional Context

The parser’s pattern validation fails with spaces and special formatting.

Scenario	Naive Parser
key=val ue	❌ Splits on space
key="quoted"	❌ Includes quotes
key=val%20encoded	❌ Raw value
malformed===	❌ Crashes
key=; key2=val	❌ Wrong parsing
Long cookie strings	❌ May timeout

RFC 6265 allows spaces and quoted strings as part of the cookie value.

This bug leads to incorrect state tracking or authentication failures for end-users.

Expected Behavior

All cookie values—including those with spaces or quotes—should be fully and correctly associated with their key, as per RFC 6265.

Error Logs

no errors in logs rather malformed cookies being passed in request

Steps to Reproduce

1. Run APISIX using Docker or Helm
2. create a route with vars condition on route with a cookie - even with valid cookie also the vars condition fails and picks wrong route because cookie parsing is failing and sending bad cookie in request

Environment

• APISIX version (run apisix version): 3.11
• Operating system (run uname -a): Linux
• OpenResty / Nginx version (run openresty -V or nginx -V):
• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
• APISIX Dashboard version, if relevant:
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):

[Baoyuantop]

Hi @nagarajusunkara, thanks for your report. I checked RFC 6265 and found that your example does not fully comply with the specification. Spaces are only allowed within quotation marks, so the correct value should be:

Cookie: session="foo bar baz"; locale="en US"; foo="spaced out"; badflag=""

What do you think?

[nagarajusunkara]

@Baoyuantop Thank you for your quick review!

You are correct that RFC 6265 Section 4.1.1 states that unquoted cookie values should not contain spaces.
In practice, many user agents, enterprise proxies, or legacy systems do send cookies with spaces outside of quotes, and servers are generally tolerant of such cases for compatibility.

In the wild, cookie headers like these are commonly observed:

Cookie: locale=en US; foo=spaced out; badflag;

or

Cookie: key=value with spaces; anotherkey=another value;

Request
Would you consider making the parser robust and lenient in practice, or at least fail gracefully without exceptions on non-conformant (but common) cookies?
This improves reliability and aligns APISIX with how most real HTTP servers/gateways handle cookie headers today.

[Baoyuantop]

I think it should be implemented according to the RFC standard because everyone's needs may be different.

[nagarajusunkara]

@Baoyuantop While RFC compliance should be the default, many real-world clients send non-strict cookies. A lenient parsing mode (configurable) would let APISIX handle these cases gracefully, improving reliability and interoperability for users who need it.

Insisting on strict compliance risks unnecessary breakage. APISIX should prioritize user experience and resilience, following the principle of “be liberal in what you accept,” but warn users of non-conformance.

Recommendation: Support both strict and interoperability modes, defaulting to maximum compatibility, for the benefit of users and broader adoption.

[Baoyuantop]

Waiting for other people's opinions.