httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Mergine of Multiple Cookie Headers
Date Wed, 29 Jun 2016 08:27:53 GMT
On Wed, Jun 29, 2016 at 9:33 AM, Plüm, Rüdiger, Vodafone Group
<ruediger.pluem@vodafone.com> wrote:
>
>
>> -----Original Message-----
>> From: Rainer Canavan [mailto:rainer.canavan@sevenval.com]
>> Sent: Dienstag, 28. Juni 2016 16:30
>> To: dev@httpd.apache.org
>> Subject: Mergine of Multiple Cookie Headers
>>
>> Hi,
>>
>> We've observed multiple gateways, operated by e.g. AT&T, COLT and
>> Vodafone, that inject additional Cookie: headers into client requests,
>> such as
>>
>> Cookie: actually=from_the_client
>> Cookie: Bearer-Type=w-TCP
>> Cookie: network-access-type=UMTS
>>
>> Apache httpd merges those headers into a single, comma separated list,
>> and also appends the names and values of all Cookies set in the
>> additional Cookie Headers to the value of the last Cookie of the first
>> header. This can be seeen by logging  %{actually}C for the example
>> above, which would contain
>>
>> actually=from_the_client, Bearer-Type=w-TCP, network-access-type=UMTS
>>
>> While RFC 6265 clearly requires that User-Agents send only a single
>> Cookie: request header, I would argue that the Cookie header should be
>> treated as an exception, similar to the Set-Cookie:-response header,
>> and not be merged into a single header field. An alternative would be
>> to use "; " as a separator.
>>
>> Any thoughts?
>
> How about
>
> RequestHeader edit* Cookie ", " "; "

Or possibly something more generic (quoting, escaping...), but less readable :p

RequestHeader edit* Cookie
([^=;,]++)(="(?:[^\\\\"]\\\\.)*+[^"]*+"|[^;,]*)?+[;,] $1$2; early

(with or without the "early" flag)

Regards,
Yann.

Mime
View raw message