Bug 62213 - "Header append" description should mention that the Set-Cookie header is an exception to the standard.
Summary: "Header append" description should mention that the Set-Cookie header is an e...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 minor (vote)
Target Milestone: ---
Assignee: HTTP Server Documentation List
Depends on:
Reported: 2018-03-22 15:17 UTC by Tim Steiner
Modified: 2018-03-22 16:19 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Steiner 2018-03-22 15:17:45 UTC
At https://httpd.apache.org/docs/current/mod/mod_headers.html#header where the "add" and "append" actions are described, the reader is told to not set a header multiple times, but instead to combine multiple header values into a comma separated list.  This is normally correct.  However, RFC 6265 specifies the following:

"An origin server can include multiple Set-Cookie header fields in a single response."
"Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field."

So, if the reader follows the documented advice and appends to an existing Set-Cookie header, the results can be undesirable.  For example, I had an existing cookie's domain attribute changed to that of the cookie I was appending.  Could you please add a note that while "Header add" usually isn't the correct choice, there's an exception for the "Set-Cookie" header?