On 28 Jun 2016, at 4:29 PM, Rainer Canavan <rainer.cana...@sevenval.com> wrote:
> We've observed multiple gateways, operated by e.g. AT&T, COLT and
> Vodafone, that inject additional Cookie: headers into client requests,
> such as
>
> Cookie: actually=from_the_client
> Cookie: Bearer-Type=w-TCP
> Cookie: network-access-type=UMTS
>
> Apache httpd merges those headers into a single, comma separated list,
> and also appends the names and values of all Cookies set in the
> additional Cookie Headers to the value of the last Cookie of the first
> header. This can be seeen by logging %{actually}C for the example
> above, which would contain
>
> actually=from_the_client, Bearer-Type=w-TCP, network-access-type=UMTS
>
> While RFC 6265 clearly requires that User-Agents send only a single
> Cookie: request header, I would argue that the Cookie header should be
> treated as an exception, similar to the Set-Cookie:-response header,
> and not be merged into a single header field. An alternative would be
> to use "; " as a separator.
>
> Any thoughts?
What problem are you trying to solve?
Regards,
Graham
—
