根据古老的Netscape cookie_spec，整个NAME=VALUE字符串是:

不包括分号、逗号和空格的字符序列。

应该可以工作，在我这里的浏览器中似乎是可以的;你在哪里有问题?

综上所述:

=是合法的，但可能有歧义。浏览器总是将字符串中的第一个=符号的名称和值分开，所以实际上你可以在value中放入=符号，而不是name。

这里没有提到什么，因为Netscape在编写规范方面很糟糕，但似乎一直受到浏览器的支持:

either the NAME or the VALUE may be empty strings if there is no = symbol in the string at all, browsers treat it as the cookie with the empty-string name, ie Set-Cookie: foo is the same as Set-Cookie: =foo. when browsers output a cookie with an empty name, they omit the equals sign. So Set-Cookie: =bar begets Cookie: bar. commas and spaces in names and values do actually seem to work, though spaces around the equals sign are trimmed control characters (\x00 to \x1F plus \x7F) aren't allowed

没有提到的和浏览器完全不一致的是非ascii (Unicode)字符:

在Opera和谷歌Chrome中，它们被编码为UTF-8的Cookie头; 在IE中，使用机器的默认代码页(特定于语言环境，从不使用UTF-8); Firefox(和其他基于mozilla的浏览器)单独使用每个UTF-16代码点的低字节(因此ISO-8859-1是OK的，但其他任何内容都是混乱的); Safari只是拒绝发送任何包含非ascii字符的cookie。

所以实际上你根本不能在cookie中使用非ascii字符。如果您想使用Unicode、控制码或其他任意字节序列，cookie_spec要求您使用自己选择的特别编码方案，并建议使用url编码(由JavaScript的encodeURIComponent生成)作为合理的选择。

就实际的标准而言，已经有一些试图编纂cookie行为的尝试，但迄今为止还没有一个能真正反映现实世界。

RFC 2109 was an attempt to codify and fix the original Netscape cookie_spec. In this standard many more special characters are disallowed, as it uses RFC 2616 tokens (a - is still allowed there), and only the value may be specified in a quoted-string with other characters. No browser ever implemented the limitations, the special handling of quoted strings and escaping, or the new features in this spec. RFC 2965 was another go at it, tidying up 2109 and adding more features under a ‘version 2 cookies’ scheme. Nobody ever implemented any of that either. This spec has the same token-and-quoted-string limitations as the earlier version and it's just as much a load of nonsense. RFC 6265 is an HTML5-era attempt to clear up the historical mess. It still doesn't match reality exactly but it's much better then the earlier attempts—it is at least a proper subset of what browsers support, not introducing any syntax that is supposed to work but doesn't (like the previous quoted-string).

在6265中，cookie名称仍然指定为RFC 2616令牌，这意味着您可以从字母加上:

!#$%&'*+-.^_`|~

In the cookie value it formally bans the (filtered by browsers) control characters and (inconsistently-implemented) non-ASCII characters. It retains cookie_spec's prohibition on space, comma and semicolon, plus for compatibility with any poor idiots who actually implemented the earlier RFCs it also banned backslash and quotes, other than quotes wrapping the whole value (but in that case the quotes are still considered part of the value, not an encoding scheme). So that leaves you with the alphanums plus:

!#$%&'()*+-./:<=>?@[]^_`{|}~

在现实世界中，我们仍然使用最原始、最糟糕的Netscape cookie_spec，因此使用cookie的代码应该准备好面对几乎任何情况，但是对于生成cookie的代码，建议坚持使用RFC 6265中的子集。

cookie规范有两个版本 1. 版本0 cookie，即Netscape cookie， 2. 版本1又名RFC 2965 cookie 在版本0中，cookie的名称和值部分是字符序列，如果不与双引号一起使用，则不包括分号、逗号、等号和空格 版本1要复杂得多，你可以在这里检查 在这个版本中，除了名称不能以$符号开头之外，名称值部分的规格几乎相同

这是简单的:

A <cookie-name> can be any US-ASCII characters except control characters (CTLs), spaces, or tabs. It also must not contain a separator character like the following: ( ) < > @ , ; : \ " / [ ] ? = { }. A <cookie-value> can optionally be set in double quotes and any US-ASCII characters excluding CTLs, whitespace, double quotes, comma, semicolon, and backslash are allowed. Encoding: Many implementations perform URL encoding on cookie values, however it is not required per the RFC specification. It does help satisfying the requirements about which characters are allowed for though.

链接:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie指令

在ASP。在写入cookie之前，可以使用System.Web.HttpUtility对cookie值进行安全编码，并在读取时将其转换回原始形式。

// Encode
HttpUtility.UrlEncode(cookieData);

// Decode
HttpUtility.UrlDecode(encodedCookieData);

这将阻止&号和等号将一个值写入cookie时分割成一堆名称/值对。

更新的rfc6265发布于2011年4月:

cookie-header = "Cookie:" OWS cookie-string OWS
cookie-string = cookie-pair *( ";" SP cookie-pair )
cookie-pair  = cookie-name "=" cookie-value
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )

cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                   ; US-ASCII characters excluding CTLs,
                   ; whitespace DQUOTE, comma, semicolon,
                   ; and backslash

如果你看看@bobince的答案，你会发现新的限制更加严格。

你不能在cookie的值字段中放入“;”，在大多数浏览器中，将设置的名称是“;”之前的字符串…