Re: Cookie crumbling in -09 from Martin Thomson on 2013-11-18 (ietf-http-wg@w3.org from October to December 2013)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Sun, 17 Nov 2013 16:44:19 -0800
To: Willy Tarreau <w@1wt.eu>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnULhNe8-Yc_AY91=5P8VySGfigcHkcLT8gi9D7ebjAyTA@mail.gmail.com>

On 16 November 2013 00:02, Willy Tarreau <w@1wt.eu> wrote:
> Indeed, right now applications correctly handle cookie as a list
> of values which can be aggregated using commas like any other header
> field.

All the discussions thus far, plus a reasonably careful reading of RFC
6265 leads me to conclude that this is not the case.  In particular,
http://tools.ietf.org/html/rfc6265#section-5.4 is quite clear:

   When the user agent generates an HTTP request, the user agent MUST
   NOT attach more than one Cookie header field.

Given the grammar, which doesn't use the list construction or a comma,
merging with commas would seem to be invalid.

I'd be interested in learning if multiple headers appeared ever in the wild.

Received on Monday, 18 November 2013 00:44:47 UTC