What are allowed characters in cookies?

In HTTP cookies, according to the RFC 6265 standard, the value of a cookie is composed of a sequence of cookie-octet, which includes the following characters:

• ! (ASCII value 33)
• " (ASCII value 34)
• # (ASCII value 35)
• $ (ASCII value 36)
• % (ASCII value 37)
• & (ASCII value 38)
• ' (ASCII value 39)
• ( (ASCII value 40)
• ) (ASCII value 41)
• * (ASCII value 42)
• + (ASCII value 43)
• , (ASCII value 44)
• - (ASCII value 45)
• . (ASCII value 46)
• / (ASCII value 47)
• Digits 0-9 (ASCII values 48-57)
• : (ASCII value 58)
• ; (ASCII value 59)
• < (ASCII value 60)
• = (ASCII value 61)
• > (ASCII value 62)
• ? (ASCII value 63)
• @ (ASCII value 64)
• Letters A-Z (ASCII values 65-90)
• [ (ASCII value 91)
• \ (ASCII value 92)
• ] (ASCII value 93)
• ^ (ASCII value 94)
• _ (ASCII value 95)
• ` (ASCII value 96)
• Letters a-z (ASCII values 97-122)
• { (ASCII value 123)
• | (ASCII value 124)
• } (ASCII value 125)
• ~ (ASCII value 126)

It is important to note that certain special characters, such as double quotes ("), commas (,), semicolons (;), and backslashes (\), have specific purposes in cookies or may conflict with cookie delimiters. Therefore, special care is needed when using these characters, and encoding may be required.

For example, if you want to set a cookie value containing commas or semicolons, you may need to encode them using functions like encodeURIComponent in JavaScript to ensure they do not interfere with the cookie format. For instance:

javascript
document.cookie = "example=" + encodeURIComponent("value;with,special&characters");