net/http: ParseSetCookie behavior is inconsistent with browsers

[kaylee595]

Go version

go version go1.23.5 windows/amd64

Output of go env in your module/workspace:

set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\Administrator\AppData\Local\go-build
set GOENV=C:\Users\Administrator\AppData\Roaming\go\env
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=C:\Users\Administrator\go\pkg\mod
set GONOPROXY=gitee.com/kaylee595/*
set GONOSUMDB=gitee.com/kaylee595/*
set GOOS=windows
set GOPATH=C:\Users\Administrator\go
set GOPRIVATE=gitee.com/kaylee595/*
set GOPROXY=https://goproxy.cn,direct
set GOROOT=C:\Program Files\Go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLCHAIN=auto
set GOTOOLDIR=C:\Program Files\Go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.23.5
set GODEBUG=
set GOTELEMETRY=local
set GOTELEMETRYDIR=C:\Users\Administrator\AppData\Roaming\go\telemetry
set GCCGO=gccgo
set GOAMD64=v1
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=NUL
set GOWORK=
set CGO_CFLAGS=-O2 -g
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-O2 -g
set CGO_FFLAGS=-O2 -g
set CGO_LDFLAGS=-O2 -g
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=C:\Users\ADMINI~1\AppData\Local\Temp\go-build4226472136=/tmp/go-build -gno-record-gcc-switches

What did you do?

cookie, err := http.ParseSetCookie("sdcloud:sess=DoSMC1JLLuwj9FpAR6_aM1QRKFTXfN47; path=/; httponly")
if err != nil {
	panic(err)
}
fmt.Println(cookie)

Cookie names with colons cannot be processed correctly. Although the RFC does not list colons as valid tokens, browsers can actually process cookies with colons normally, so I think there should be an option to decide whether to handle them leniently.
Although I can implement a function to solve this problem myself, I encounter a problem. In a redirect request, httpClient will automatically save the cookie for each redirection, but if the cookie name does not conform to the internal settings of http.ParseSetCookie, the cookie will not be saved. This makes it very complicated for me to implement this cookie saving myself. I need to disable the redirection strategy and customize http.ParseSetCookie.
Perhaps the colon should be listed as a valid character, or perhaps loose validation should be supported (not using the RFC standard). I don't know how to do it well, but the browser can handle the colon normally. I can't modify the server, and the server is not under my control.

What did you see happen?

panic: http: invalid cookie name

What did you expect to see?

sdcloud:sess=DoSMC1JLLuwj9FpAR6_aM1QRKFTXfN47; Path=/; HttpOnly

[seankhliao]

Duplicate of #12698

[gabyhelp]

Related Issues

• net/http: does not handle semicolon-terminated cookie strings very well #52349 (closed)
• net/http: isCookieNameValid in net/http/cookie.go seems overly restrictive #29580
• net/http/cookie: readSetCookies does not strip whitespace for key/value pair received #40414
• net/http: `(*http.Response).Cookies` have different behaviour compared with web browser #66118
• net/http: SetCookie is creating invalid headers #29804 (closed)
• net/http: AddCookie fails to add a malformed cookie to a request #38437 (closed)
• net/http: support cookie names with colon #12698 (closed)
• net/http: parsing cookie enclosed with double quote fails #33147 (closed)
• net/http: document that SetCookie name must be valid #9758 (closed)
• net/http: readCookies accepts empty cookie in 1.18 #53026

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}