On Wed, Jun 29, 2016 at 9:33 AM, Plüm, Rüdiger, Vodafone Group <[email protected]> wrote: > > >> -----Original Message----- >> From: Rainer Canavan [mailto:[email protected]] >> Sent: Dienstag, 28. Juni 2016 16:30 >> To: [email protected] >> Subject: Mergine of Multiple Cookie Headers >> >> Hi, >> >> We've observed multiple gateways, operated by e.g. AT&T, COLT and >> Vodafone, that inject additional Cookie: headers into client requests, >> such as >> >> Cookie: actually=from_the_client >> Cookie: Bearer-Type=w-TCP >> Cookie: network-access-type=UMTS >> >> Apache httpd merges those headers into a single, comma separated list, >> and also appends the names and values of all Cookies set in the >> additional Cookie Headers to the value of the last Cookie of the first >> header. This can be seeen by logging %{actually}C for the example >> above, which would contain >> >> actually=from_the_client, Bearer-Type=w-TCP, network-access-type=UMTS >> >> While RFC 6265 clearly requires that User-Agents send only a single >> Cookie: request header, I would argue that the Cookie header should be >> treated as an exception, similar to the Set-Cookie:-response header, >> and not be merged into a single header field. An alternative would be >> to use "; " as a separator. >> >> Any thoughts? > > How about > > RequestHeader edit* Cookie ", " "; "
Or possibly something more generic (quoting, escaping...), but less readable :p RequestHeader edit* Cookie ([^=;,]++)(="(?:[^\\\\"]\\\\.)*+[^"]*+"|[^;,]*)?+[;,] $1$2; early (with or without the "early" flag) Regards, Yann.
