Re: Set-Cookie vs list header parsing (i129)

Julian Reschke wrote:
> To be complete we would also need to cite the original spec
> (<>, 404s...). We
> already have three cookie-related references; enough is enough, isn't it?

Well, but that one is more worth citing than some of the others, since
it's pretty much what people actually implement in practice.

> The currently proposed text is at:
> <>

AFAIK, the problem is only with "Set-Cookie", not "Cookie". (There's no
need to send multiple Cookie headers; the spec says you're supposed to
include all of the cookies, semicolon-delimited, in a single Cookie header.)

> Brian also proposed to make this REQUIRED behavior.

FWIW, 3 out of the big 4 browsers also don't correctly parse multiple
WWW-Authenticate headers that have been merged into one (even though
2617 explicitly points out this possibility). So it might be best to
just say that intermediaries SHOULD NOT merge headers, except in cases
where they know it's safe.

-- Dan

Received on Wednesday, 20 August 2008 12:59:13 UTC