W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Cookie crumbling in -09

From: Martin Thomson <martin.thomson@gmail.com>
Date: Sun, 17 Nov 2013 16:44:19 -0800
Message-ID: <CABkgnnULhNe8-Yc_AY91=5P8VySGfigcHkcLT8gi9D7ebjAyTA@mail.gmail.com>
To: Willy Tarreau <w@1wt.eu>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 16 November 2013 00:02, Willy Tarreau <w@1wt.eu> wrote:
> Indeed, right now applications correctly handle cookie as a list
> of values which can be aggregated using commas like any other header
> field.

All the discussions thus far, plus a reasonably careful reading of RFC
6265 leads me to conclude that this is not the case.  In particular,
http://tools.ietf.org/html/rfc6265#section-5.4 is quite clear:

   When the user agent generates an HTTP request, the user agent MUST
   NOT attach more than one Cookie header field.

Given the grammar, which doesn't use the list construction or a comma,
merging with commas would seem to be invalid.

I'd be interested in learning if multiple headers appeared ever in the wild.
Received on Monday, 18 November 2013 00:44:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC