httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, Vodafone Group <ruediger.pl...@vodafone.com>
Subject RE: Mergine of Multiple Cookie Headers
Date Wed, 29 Jun 2016 07:33:02 GMT


> -----Original Message-----
> From: Rainer Canavan [mailto:rainer.canavan@sevenval.com]
> Sent: Dienstag, 28. Juni 2016 16:30
> To: dev@httpd.apache.org
> Subject: Mergine of Multiple Cookie Headers
> 
> Hi,
> 
> We've observed multiple gateways, operated by e.g. AT&T, COLT and
> Vodafone, that inject additional Cookie: headers into client requests,
> such as
> 
> Cookie: actually=from_the_client
> Cookie: Bearer-Type=w-TCP
> Cookie: network-access-type=UMTS
> 
> Apache httpd merges those headers into a single, comma separated list,
> and also appends the names and values of all Cookies set in the
> additional Cookie Headers to the value of the last Cookie of the first
> header. This can be seeen by logging  %{actually}C for the example
> above, which would contain
> 
> actually=from_the_client, Bearer-Type=w-TCP, network-access-type=UMTS
> 
> While RFC 6265 clearly requires that User-Agents send only a single
> Cookie: request header, I would argue that the Cookie header should be
> treated as an exception, similar to the Set-Cookie:-response header,
> and not be merged into a single header field. An alternative would be
> to use "; " as a separator.
> 
> Any thoughts?

How about

RequestHeader edit* Cookie ", " "; "

Regards

Rüdiger
Mime
View raw message