Is the name of a cookie case sensitive?

Question

A HTTP Cookie consists of a name-value pair and can be set by the server using this response:

HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: name=value
         


        

Answer 1

It seems cookies are actually case sensitive. Theres some confusion with this. It is interesting that the MSDN says otherwise:

Cookie names are NOT case-sensitive

Source: http://msdn.microsoft.com/en-us/library/ms970178.aspx the bottom of the article says it's ©2002 so it might be outdated.

Also, the question has been asked in the asp.net forums, too: http://forums.asp.net/t/1170326.aspx?Are+cookie+names+case+sensitive+ and it seems the answer is case-sensitive.

What's going on? MSDN says no, other technologies say yes. To be sure, I tested this using ASP classic.

Code

hashUCASE = Request.Cookies("data")("Hash")
hashLCASE = Request.Cookies("data")("hash")

Response.Write "
 hashUCASE = " & hashUCASE
Response.Write "
 hashLCASE = " & hashLCASE


cookieNameUCASE = Request.Cookies("Data")
cookieNameLCASE = Request.Cookies("data")

Response.Write "
 cookieNameUCASE = " & cookieNameUCASE
Response.Write "
 cookieNameLCASE = " & cookieNameLCASE

Response.End

Results

hashUCASE: EE3305C0DAADAAAA221BD5ACF6996AAA
hashLCASE: EE3305C0DAADAAAA221BD5ACF6996AAA

cookieNameUCASE: name=1&Hash=EE3305C0DAADAAAA221BD5ACF6996AAA
cookieNameLCASE: name=1&Hash=EE3305C0DAADAAAA221BD5ACF6996AAA

As you can see in the results, the value "Hash" was created with uppercase and even when you make the request with lower case, it returns the same value, which makes it not case-sensitive. Under this MS technology, it is not.

Conclusion

So, using Request.Cookies() in ASP classic, it's not case-sensitive, like Microsoft says. But wait, isn't it case sensitive again? This may mean that whether sensitive or not depends on the server side technology that makes the request to the browser, which could be normalizing the cookie name to make the requests and thus making it not case sensitive. But that's something else we'll have to test to verify.

My advice is to make tests with whatever technology you are using and establish a standard in your code base, make an agreement with your team. i.e. if you're going to use a cookie, decide if it will always be written in lowercase or uppercase anytime you are going to use it in your code. That way there won't be any case sensitivity problems because in your code it will be always declared with the same case.

tl;dr

As long as you keep a convention with the cookie names you won't have problems with case sensitivity.