From d9a24ba5b9ccb4131a1fb1e35a8ae02ff34f70fc Mon Sep 17 00:00:00 2001
From: Felipe Pena <felipensp@gmail.com>
Date: Wed, 22 Oct 2025 11:07:06 -0300
Subject: [PATCH] net: fix cookie parsing when `;` is used (fix #25544)
 (#25561)

---
 vlib/net/http/cookie.v      | 5 +++--
 vlib/net/http/cookie_test.v | 7 +++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/vlib/net/http/cookie.v b/vlib/net/http/cookie.v
index 42f991cfc..655b783a5 100644
--- a/vlib/net/http/cookie.v
+++ b/vlib/net/http/cookie.v
@@ -192,8 +192,9 @@ pub fn sanitize_cookie_value(v string) string {
 	if v.len == 0 {
 		return v
 	}
-	// Check for the existence of a space or comma
-	if val.starts_with(' ') || val.ends_with(' ') || val.starts_with(',') || val.ends_with(',') {
+	// Check for the existence of a space, comma or semicolon
+	if val.starts_with(' ') || v.contains(';') || val.ends_with(' ') || val.starts_with(',')
+		|| val.ends_with(',') {
 		return '"${v}"'
 	}
 	return v
diff --git a/vlib/net/http/cookie_test.v b/vlib/net/http/cookie_test.v
index 5924a7f24..f00c4f696 100644
--- a/vlib/net/http/cookie_test.v
+++ b/vlib/net/http/cookie_test.v
@@ -224,6 +224,13 @@ const write_set_cookie_tests = [
 		}
 		raw:    ''
 	},
+	SetCookieTestCase{
+		cookie: &http.Cookie{
+			name:  'complex-value'
+			value: 'a b,c;d'
+		}
+		raw:    'complex-value="a b,c;d"'
+	},
 ]
 const add_cookies_tests = [
 	AddCookieTestCase{
-- 
2.39.5