putting ='s, ampersands and colons in a cookie [duplicate]

This question already has answers here: Closed 12 years ago.

Possible Duplicate:

Allowed characters in cookies

I need to separate values in a cookie. So I chose &'s to separate name=value pairs just like I would in a URL. There can be multiple values too for a name, so I separate those with a colon.

My question is if this is legal? Do I need to URL encode everything? The values can have colon开发者_JAVA技巧s inside them, so I thought I'd URL encode the values in order to make sure the colons in a value don't conflict with the separator character. I read somewhere that enclosing the entire cookie with apostrophes works too, does that make sense?

If this is not legal, what's the best way to store my multiple name/value pairs that often have multiple values per name (in a specific order, so I can't just duplicate the name/values)?

---

You will have to percent-escape the characters contained in the name and value parts of the cookie, just like you should already be doing. For example, = would become %3D, & would become %26, etc. Just build up the string you want to use for your cookie value and run it through your language/framework's URI escaping function. If your framework has a method for setting cookies and it takes distinct name/value arguments, it should be doing this for you.