aspnet · BrennanConroy · Jan 29, 2016 · Jan 29, 2016
diff --git a/src/Microsoft.AspNetCore.Http/ResponseCookies.cs b/src/Microsoft.AspNetCore.Http/ResponseCookies.cs
@@ -38,8 +38,8 @@ public ResponseCookies(IHeaderDictionary headers)
         public void Append(string key, string value)
         {
             var setCookieHeaderValue = new SetCookieHeaderValue(
-                    UrlEncoder.Default.Encode(key),
-                    UrlEncoder.Default.Encode(value))
+                    Uri.EscapeDataString(key),
+                    Uri.EscapeDataString(value))
             {
                 Path = "/"
             };
@@ -61,8 +61,8 @@ public void Append(string key, string value, CookieOptions options)
             }
 
             var setCookieHeaderValue = new SetCookieHeaderValue(
-                    UrlEncoder.Default.Encode(key),
-                    UrlEncoder.Default.Encode(value))
+                    Uri.EscapeDataString(key),
+                    Uri.EscapeDataString(value))
             {
                 Domain = options.Domain,
                 Path = options.Path,
@@ -95,7 +95,7 @@ public void Delete(string key, CookieOptions options)
                 throw new ArgumentNullException(nameof(options));
             }
 
-            var encodedKeyPlusEquals = UrlEncoder.Default.Encode(key) + "=";
+            var encodedKeyPlusEquals = Uri.EscapeDataString(key) + "=";
             bool domainHasValue = !string.IsNullOrEmpty(options.Domain);
             bool pathHasValue = !string.IsNullOrEmpty(options.Path);
 

diff --git a/test/Microsoft.AspNetCore.Http.Tests/DefaultHttpRequestTests.cs b/test/Microsoft.AspNetCore.Http.Tests/DefaultHttpRequestTests.cs
@@ -172,15 +172,15 @@ public void Cookies_GetAndSet()
             Assert.Null(cookies0["key0"]);
             Assert.False(cookies0.ContainsKey("key0"));
 
-            var newCookies = new[] { "name0=value0", "name1=value1" };
+            var newCookies = new[] { "name0=value0%2C", "%5Ename1=value1" };
             request.Headers["Cookie"] = newCookies;
 
             cookies0 = RequestCookieCollection.Parse(newCookies);
             var cookies1 = request.Cookies;
             Assert.Equal(cookies0, cookies1);
             Assert.Equal(2, cookies1.Count);
-            Assert.Equal("value0", cookies1["name0"]);
-            Assert.Equal("value1", cookies1["name1"]);
+            Assert.Equal("value0,", cookies1["name0"]);
+            Assert.Equal("value1", cookies1["^name1"]);
             Assert.Equal(newCookies, request.Headers["Cookie"]);
 
             var cookies2 = new RequestCookieCollection(new Dictionary<string,string>()

diff --git a/test/Microsoft.AspNetCore.Http.Tests/ResponseCookiesTest.cs b/test/Microsoft.AspNetCore.Http.Tests/ResponseCookiesTest.cs
@@ -42,5 +42,20 @@ public void NoParamsDeleteRemovesCookieCreatedByAdd()
             Assert.Contains("expires=Thu, 01 Jan 1970 00:00:00 GMT", cookieHeaderValues[0]);
         }
 
+        [Theory]
+        [InlineData("key", "value", "key=value")]
+        [InlineData("key,", "!value", "key%2C=%21value")]
+        [InlineData("ke#y,", "val^ue", "ke%23y%2C=val%5Eue")]
+        public void EscapesKeyValuesBeforeSettingCookie(string key, string value, string expected)
+        {
+            var headers = new HeaderDictionary();
+            var cookies = new ResponseCookies(headers);
+
+            cookies.Append(key, value);
+
+            var cookieHeaderValues = headers[HeaderNames.SetCookie];
+            Assert.Equal(1, cookieHeaderValues.Count);
+            Assert.StartsWith(expected, cookieHeaderValues[0]);
+        }
     }
 }