Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id C25B6200B33 for ; Wed, 29 Jun 2016 10:28:06 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id C0E25160A57; Wed, 29 Jun 2016 08:28:06 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 1408A160A4D for ; Wed, 29 Jun 2016 10:28:05 +0200 (CEST) Received: (qmail 56264 invoked by uid 500); 29 Jun 2016 08:28:03 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 56253 invoked by uid 99); 29 Jun 2016 08:28:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Jun 2016 08:28:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 580BEC00EA for ; Wed, 29 Jun 2016 08:28:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.821 X-Spam-Level: X-Spam-Status: No, score=-0.821 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id 3i4syx6cONHQ for ; Wed, 29 Jun 2016 08:28:01 +0000 (UTC) Received: from mail-qt0-f176.google.com (mail-qt0-f176.google.com [209.85.216.176]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 1EBAD5F239 for ; Wed, 29 Jun 2016 08:28:01 +0000 (UTC) Received: by mail-qt0-f176.google.com with SMTP id c34so21263120qte.0 for ; Wed, 29 Jun 2016 01:28:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=83+Wb8123XkJsHYbqWKmpYZls+9ECJ83kIuW2mqHdmE=; b=J6wutlCvTKNHYR+y+bpfpWIJldeplXwWdh6O+L0zY9IiUm83pJf4VE85mUjkbuX2JT VzB2Q8zsawV7nRf1MR3B7CYYCQaVGEUM08WzJagqQ+lzoDzacOFZKkHBpHar7pNf+cSG 1bdYQQYDs/+WjU2+th+H0toZR4tHeCJKKbyCTnnHeLyc3ZnTjvMnxowyjGYB9hZASTJ9 HTC6JxxXRj42R8kHNd6gAcNTQhGVXEiQQKeh5LchMJb4QkpnhgdqxZY7Zw8/j9bmoN6+ l5Hslg7VOUnHcBb1M9Un9Ktd04LqTl9zO/PBdDXe4k+IdOHs1YD8OzUz58yTeWfePEhs IpVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=83+Wb8123XkJsHYbqWKmpYZls+9ECJ83kIuW2mqHdmE=; b=RNccbmKcm/vIaXXcw3qvMcf5TIY4Vq4EfIB81KEjVgdSTS8uGnbW1lcdGq/T2QSNrY TVR1DvjqTWI0gb/c8Qk47GgNfr+edLJbLWuUGwSw8XFBaHc+nY+5j7U3cWavjeaAS4jR AB6k2yo6VRtaLW01DoJfzPojqyNZCg64piuaTfe8ORpHOJCFrtsPSB6mq7ZSM1MX5H92 Zk63VnPjJNdohVxG9zL1nLxFJWAfKq9mUKFljUS10MgPHSBjoeqRKJ/oIr/iJsVQXXRh UZVSX5JX+7KrwZZxYpbzCHlP87Nqlu1i7bt4bPY4lQ3xbW9LhhJhaokKBlvkQMDuc+3R u+IQ== X-Gm-Message-State: ALyK8tL/E0+kl/xiR3gJrOYnmoEzQDSqbnfB7p95Tqy4Co4Y/4yOgn4CaqDrpprBJHOet9vecqqfZIeszSLqXQ== X-Received: by 10.237.51.227 with SMTP id v90mr11103007qtd.23.1467188874468; Wed, 29 Jun 2016 01:27:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.55.10.5 with HTTP; Wed, 29 Jun 2016 01:27:53 -0700 (PDT) In-Reply-To: References: From: Yann Ylavic Date: Wed, 29 Jun 2016 10:27:53 +0200 Message-ID: Subject: Re: Mergine of Multiple Cookie Headers To: httpd-dev Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable archived-at: Wed, 29 Jun 2016 08:28:06 -0000 On Wed, Jun 29, 2016 at 9:33 AM, Pl=C3=BCm, R=C3=BCdiger, Vodafone Group wrote: > > >> -----Original Message----- >> From: Rainer Canavan [mailto:rainer.canavan@sevenval.com] >> Sent: Dienstag, 28. Juni 2016 16:30 >> To: dev@httpd.apache.org >> Subject: Mergine of Multiple Cookie Headers >> >> Hi, >> >> We've observed multiple gateways, operated by e.g. AT&T, COLT and >> Vodafone, that inject additional Cookie: headers into client requests, >> such as >> >> Cookie: actually=3Dfrom_the_client >> Cookie: Bearer-Type=3Dw-TCP >> Cookie: network-access-type=3DUMTS >> >> Apache httpd merges those headers into a single, comma separated list, >> and also appends the names and values of all Cookies set in the >> additional Cookie Headers to the value of the last Cookie of the first >> header. This can be seeen by logging %{actually}C for the example >> above, which would contain >> >> actually=3Dfrom_the_client, Bearer-Type=3Dw-TCP, network-access-type=3DU= MTS >> >> While RFC 6265 clearly requires that User-Agents send only a single >> Cookie: request header, I would argue that the Cookie header should be >> treated as an exception, similar to the Set-Cookie:-response header, >> and not be merged into a single header field. An alternative would be >> to use "; " as a separator. >> >> Any thoughts? > > How about > > RequestHeader edit* Cookie ", " "; " Or possibly something more generic (quoting, escaping...), but less readabl= e :p RequestHeader edit* Cookie ([^=3D;,]++)(=3D"(?:[^\\\\"]\\\\.)*+[^"]*+"|[^;,]*)?+[;,] $1$2; early (with or without the "early" flag) Regards, Yann.