httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Canavan <>
Subject Re: Merging of Multiple Cookie Headers
Date Tue, 28 Jun 2016 19:29:13 GMT
On Tue, Jun 28, 2016 at 6:09 PM, Graham Leggett <> wrote:
> On 28 Jun 2016, at 4:29 PM, Rainer Canavan <> wrote:
>> We've observed multiple gateways, operated by e.g. AT&T, COLT and
>> Vodafone, that inject additional Cookie: headers into client requests,
>> such as
>> Cookie: actually=from_the_client
>> Cookie: Bearer-Type=w-TCP
>> Cookie: network-access-type=UMTS
>> Apache httpd merges those headers into a single, comma separated list,
>> and also appends the names and values of all Cookies set in the
>> additional Cookie Headers to the value of the last Cookie of the first
>> header. This can be seeen by logging  %{actually}C for the example
>> above, which would contain
>> actually=from_the_client, Bearer-Type=w-TCP, network-access-type=UMTS
>> While RFC 6265 clearly requires that User-Agents send only a single
>> Cookie: request header, I would argue that the Cookie header should be
>> treated as an exception, similar to the Set-Cookie:-response header,
>> and not be merged into a single header field. An alternative would be
>> to use "; " as a separator.
>> Any thoughts?
> What problem are you trying to solve?

It's not just the Cookie that's logged via %{}C that gets nonsense
appended, but the cookie parser of e.g. PHP behaves the same. I think
httpd could handle this better by not merging the headers or merging
them in a way that is consistent with the syntax of the Cookie:
response header. Since the original Cookie: header sent by the client
gets corrupted by httpd, I'd even prefer dripping any additional
headers over the current behaviour.


View raw message