Bug 62213

Summary: "Header append" description should mention that the Set-Cookie header is an exception to the standard.
Product: Apache httpd-2 Reporter: Tim Steiner <tsteiner>
Component: DocumentationAssignee: HTTP Server Documentation List <docs>
Status: NEW ---    
Severity: minor CC: mfairchild365
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Tim Steiner 2018-03-22 15:17:45 UTC 
At https://httpd.apache.org/docs/current/mod/mod_headers.html#header where the "add" and "append" actions are described, the reader is told to not set a header multiple times, but instead to combine multiple header values into a comma separated list.  This is normally correct.  However, RFC 6265 specifies the following:

"An origin server can include multiple Set-Cookie header fields in a single response."
and
"Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field."

So, if the reader follows the documented advice and appends to an existing Set-Cookie header, the results can be undesirable.  For example, I had an existing cookie's domain attribute changed to that of the cookie I was appending.  Could you please add a note that while "Header add" usually isn't the correct choice, there's an exception for the "Set-Cookie" header?

Thanks!