62213 – "Header append" description should mention that the Set-Cookie header is an exception to the standard.

Bug 62213 - "Header append" description should mention that the Set-Cookie header is an exception to the standard.

Summary: "Header append" description should mention that the Set-Cookie header is an e...

Status:	NEW

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	Documentation (show other bugs)
Version:	2.5-HEAD
Hardware:	All All

Importance:	P2 minor (vote)
Target Milestone:	---
Assignee:	HTTP Server Documentation List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-03-22 15:17 UTC by Tim Steiner
Modified:	2018-03-22 16:19 UTC (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Steiner 2018-03-22 15:17:45 UTC

At https://httpd.apache.org/docs/current/mod/mod_headers.html#header where the "add" and "append" actions are described, the reader is told to not set a header multiple times, but instead to combine multiple header values into a comma separated list.  This is normally correct.  However, RFC 6265 specifies the following:

"An origin server can include multiple Set-Cookie header fields in a single response."
and
"Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field."

So, if the reader follows the documented advice and appends to an existing Set-Cookie header, the results can be undesirable.  For example, I had an existing cookie's domain attribute changed to that of the cookie I was appending.  Could you please add a note that while "Header add" usually isn't the correct choice, there's an exception for the "Set-Cookie" header?

Thanks!