https://bz.apache.org/bugzilla/show_bug.cgi?id=63434
Michael Kaufmann <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |apache-bugzilla@michael-kau | |fmann.ch --- Comment #9 from Michael Kaufmann <[email protected]> --- The current release of Apache Tomcat rejects "Cookie" headers that contain a comma. But it accepts multiple "Cookie" headers. Tomcat understands this request: Cookie: a=b; c=d Cookie: e=f; g=h Apache httpd may be used as a reverse proxy, and Tomcat ignores this merged header: Cookie: a=b; c=d, e=f; g=h Tomcat understands this header, merged with "; " instead of ", ": Cookie: a=b; c=d; e=f; g=h Note that the major browsers don't cut cookies at commas. For example. browsers parse this as a single cookie "a" with the value "b, c=d": Set-Cookie: a=b, c=d And browsers will send this back to the server like this: Cookie: a=b, c=d So in reality, the "Cookie" header should not be split at ",". I think that merging multiple "Cookie" headers with "; " would be correct. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
