httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Canavan <>
Subject Mergine of Multiple Cookie Headers
Date Tue, 28 Jun 2016 14:29:59 GMT

We've observed multiple gateways, operated by e.g. AT&T, COLT and
Vodafone, that inject additional Cookie: headers into client requests,
such as

Cookie: actually=from_the_client
Cookie: Bearer-Type=w-TCP
Cookie: network-access-type=UMTS

Apache httpd merges those headers into a single, comma separated list,
and also appends the names and values of all Cookies set in the
additional Cookie Headers to the value of the last Cookie of the first
header. This can be seeen by logging  %{actually}C for the example
above, which would contain

actually=from_the_client, Bearer-Type=w-TCP, network-access-type=UMTS

While RFC 6265 clearly requires that User-Agents send only a single
Cookie: request header, I would argue that the Cookie header should be
treated as an exception, similar to the Set-Cookie:-response header,
and not be merged into a single header field. An alternative would be
to use "; " as a separator.

Any thoughts?


View raw message