Is it possible to set more than one cookie with a single Set-Cookie?

by

The original cookie specification of Netscape (see this cached version) does not say anything about listing multiple cookie declarations.

But as of Set-Cookie as defined by RFC 2109 allows a comma separated list of cookie declaration:

Informally, the Set-Cookie response header comprises the token Set-Cookie:, followed by a comma-separated list of one or more cookies. Each cookie begins with a NAME=VALUE pair, followed by zero or more semi-colon-separated attribute-value pairs.

The same applies to Set-Cookie2 as defined by RFC 2965:

Informally, the Set-Cookie2 response header comprises the token Set-Cookie2:, followed by a comma-separated list of one or more cookies. Each cookie begins with a NAME=VALUE pair, followed by zero or more semi-colon-separated attribute-value pairs.

But since most user agents still follow Netscape’s original specification, I would rather suggest to just declare each cookie with its own Set-Cookie header field.

This is also what the latest RFC 6265 reflects:

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into
a single header field. The usual mechanism for folding HTTP headers
fields (i.e., as defined in [RFC2616]) might change the semantics of
the Set-Cookie header field because the %x2C (“,”) character is used
by Set-Cookie in a way that conflicts with such folding.

More Related Contents:

  1. Share cookie between subdomain and domain
  2. How do browser cookie domains work?
  3. How to detect server-side whether cookies are disabled
  4. Why is it common to put CSRF prevention tokens in cookies?
  5. How to handle multiple cookies with the same name?
  6. Correct way to delete cookies server-side
  7. Cookie handling in Google Apps Script – How to send cookies in header?
  8. Why can’t I set a cookie and redirect?
  9. How are cookies passed in the HTTP protocol?
  10. How do I create a persistent vs a non-persistent cookie?
  11. Save cookies between two curl requests
  12. How does cookie “Secure” flag work?
  13. Domain set cookie for subdomain
  14. Share cookies between subdomain and domain
  15. Share a cookie between two websites
  16. Reading cookies via HTTPS that were set using HTTP
  17. Sending browser cookies during a 302 redirect
  18. What is the difference between server side cookie and client side cookie?
  19. Is a URL with // in the path-section valid?
  20. Should cookie values be URL encoded?
  21. How does HTTP file upload work?
  22. How to use Python to login to a webpage and retrieve cookies for later usage?
  23. How to pass url arguments (query string) to a HTTP request on Angular?
  24. How can I use an http proxy with node.js http.Client?
  25. CORS Access-Control-Allow-Headers wildcard being ignored?
  26. Detect end of HTTP request body
  27. How to correctly set Http Request Header in Angular 2
  28. Using “transfer-encoding: chunked”, how much data must be sent before browsers start rendering it?
  29. Do web browsers always send a trailing slash after a domain name?
  30. Chunked transfer encoding – browser behavior

Leave a Comment