Skip to content

Empty cookies when Cookie header contains keyless cookie #3815

New issue
New issue
Open
Open
Empty cookies when Cookie header contains keyless cookie#3815
@Gregofi

Description

@Gregofi
Gregofi
opened on Oct 30, 2025

Hello,

some browsers (at least FF and Chrome) will send cookies in Cookie header that have empty key ("").
Such cookie can be set via document.cookie = "a", or document.cookie = "=a".
Both of these will show in network tools as cookies with empty key.
These cookies are then send as follows: Cookie: foo=1; a; bar=2, where the a is the cookie we previously set via document.cookie = "a".

Expected Behavior

Actix throws away the a cookie and returns foo and bar in req.cookie("foo").
Or it can return a for req.cookie("").

Current Behavior

Actix throws the whole header completely.
For the Cookie: foo=1; a; bar=2 and every possible parameter x, call req.cookie(x) will always yield None.

Possible Solution

Parse the cookies as now (split by ; and parse them one by one), but do not exit when one fail.
Something like this could work I think: https://github.com/actix/actix-web/pull/3814/files.
This is fairly easy to implement.

Or allow these cookies altogether, so req.cookie("") would return a.
This probably requires either parsing this special case separately or try to change the cookie crate.

Steps to Reproduce (for bugs)

Run the following small actix project:
https://gist.github.com/Gregofi/d698758b67a0f0763d29176878c8d280

Run these two curls:

curl localhost:8080 --cookie 'foo=1; bar=2'
curl localhost:8080 --cookie 'foo=1; bar'

the second will print None, even when we are reading foo (and not touching `bar).

Context

We provide a small scripts that runs on various websites.
We have no control over which cookies will be set on the website.
This resulted in our endpoint silently returning very unexpected input, and it was very hard to trace down what exactly has been happening.

It seems that such cookies are not permitted by RFC, but since the major browsers allow them, I think Actix should at least handle them some way (allow them, ignore them, warn about them via log).

For now, we parse the Cookie header by ourselves and cannot rely on req.cookie.

Your Environment

  • Rust Version (I.e, output of rustc -V): rustc 1.90.0 (1159e78c4 2025-09-14)
  • Actix Web Version: 4.11.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions