Usually, a browser groups cookies into a single Cookie
header, such as:
Cookie: a=1; b=2
Does the standard allow to send these as separate headers, such as:
Cookie: a=1
Cookie: b=2
Or do they always have to be on the same line?
Usually, a browser groups cookies into a single Cookie
header, such as:
Cookie: a=1; b=2
Does the standard allow to send these as separate headers, such as:
Cookie: a=1
Cookie: b=2
Or do they always have to be on the same line?
Chanced upon this page while looking for details on the topic. A quote from HTTP State Management Mechanism
, RFC 6265 ought to make things clearer:
5.4. The Cookie Header
When the user agent generates an HTTP request, the user agent MUST NOT attach more than one Cookie header field.
It looks like the use of multiple Cookie
headers is, in fact, prohibited!
it's now allowed in HTTP/2 (RFC 7540), which specifies:
8.1.2.5. Compressing the Cookie Header Field
The Cookie header field [COOKIE] uses a semi-colon (";") to delimit
cookie-pairs (or "crumbs"). This header field doesn't follow the
list construction rules in HTTP (see [RFC7230], Section 3.2.2), which
prevents cookie-pairs from being separated into different name-value
pairs. This can significantly reduce compression efficiency as
individual cookie-pairs are updated.
To allow for better compression efficiency, the Cookie header field
MAY be split into separate header fields, each with one or more
cookie-pairs. If there are multiple Cookie header fields after
decompression, these MUST be concatenated into a single octet string
using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ")
before being passed into a non-HTTP/2 context, such as an HTTP/1.1
connection, or a generic HTTP server application.
Therefore, the following two lists of Cookie header fields are
semantically equivalent.
cookie: a=b; c=d; e=f
cookie: a=b
cookie: c=d
cookie: e=f