fix: warn on invalid cookie name characters (#12806)

Author: eltigerchino

.changeset/old-points-tell.md

@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: warn on invalid cookie name characters

packages/kit/src/runtime/server/cookie.js

@@ -1,6 +1,9 @@
 import { parse, serialize } from 'cookie';
 import { add_data_suffix, normalize_path, resolve } from '../../utils/url.js';
 
+// eslint-disable-next-line no-control-regex -- control characters are invalid in cookie names
+const INVALID_COOKIE_CHARACTER_REGEX = /[\x00-\x1F\x7F()<>@,;:"/[\]?={} \t]/;
+
 /**
  * Tracks all cookies set during dev mode so we can emit warnings
  * when we detect that there's likely cookie misusage due to wrong paths
@@ -113,6 +116,14 @@ export function get_cookies(request, url, trailing_slash) {
 		 * @param {import('./page/types.js').Cookie['options']} options
 		 */
 		set(name, value, options) {
+			// TODO: remove this check in 3.0
+			const illegal_characters = name.match(INVALID_COOKIE_CHARACTER_REGEX);
+			if (illegal_characters) {
+				console.warn(
+					`The cookie name "${name}" will be invalid in SvelteKit 3.0 as it contains ${illegal_characters.join(' and ')}. See RFC 2616 for more details https://datatracker.ietf.org/doc/html/rfc2616#section-2.2`
+				);
+			}
+
 			validate_options(options);
 			set_internal(name, value, { ...defaults, ...options });
 		},