Say for example I had an application sending the following HTTP headers to set to cookie named "a":
Set-Cookie: a=1;Path=/;Version=1
Set-Cookie: a=2;Path=/example;Version=1
If I access /example
on the server both paths are valid, so I have two cookies named "a"! Since the browser doesn't send any path information, the two cookies cannot be distinguished.
Cookie: a=2; a=1
How should this case be handled? Pick the first one? Create a list with all cookie values? Or should such a case be considered as a developer's mistake?
I'm certainly aware of applications which do this extensively using multiple session ids - and seem to work consistently. However I don't know - and have no intention of finding out - if they do so because the browser returns the cookies in a consistent order depending on when they were set / which path they were set for or whether the app tries to match each one to an existing session.
I would strongly recommend that this practice be avoided.
However if you really want to know how the browsers (and apps) handle this scenario, why not build a test rig and try it out.
If you need to distinguish them you have to give them different key values.
From this article on SitePoint:
Edit: this information from 2010 appears to be outdated, it seems browsers can now send multiple cookies in return, see answer by @Nate below for details
There is nothing wrong with having multiple values for the same name... if you want them. You might even embed additional context in the value.
If you don't, then of course different names are a solution if you want both contexts.
The alternative is to send the same cookie name with the same path (and domain) even from the more specific paths. Those set cookie instructions will overwrite the value of that cookie.
Now that you know the most important part (how they work), and that you can accomplish what you need in a few different ways, my answer to your question is: this is a developer issue.
The answer referring to an article on SitePoint is not entirely complete. Please see RFC 6265 (to be fair, this RFC was released in 2011 after this question was posted, which supersedes previous RFC 2965 from 2000 and RFC 2109 from 1997).
Section 5.4, subsection 2 has this to say:
There is also this little gem in section 4.2.2:
In your example request cookie (Cookie: a=2; a=1) note that the cookie set with the path /example (a=2) has a longer path than the one with the path / (a=1) and so it is sent back to you first in line, which matches the recommendation of the spec. Thus you are more or less correct in your assumption that you could select the first value.
Unfortunately the language used in RFCs is extremely specific - the use of the words SHOULD and SHOULD NOT introduce ambiguity in RFCs. These indicate conventions that should be followed, but are not required to be conformant to the spec. While I understand the RFC for this quite well, I haven't done the research to see what real-world clients do; it's possible one or more browsers or other softwares acting as HTTP clients may not send the longest-path cookie (eg: /example) first in the Cookie: header.
If you are in a position to control the value of the cookie and you want to make your solution foolproof, you are best off either:
using a different cookie name to override in certain paths, such as:
storing the path you need in the cookie value itself:
Both of these workarounds require additional logic on the server to pick the desired cookie value, by comparing the requested URL against the list of available cookies. It's not too pretty. It's unfortunate the RFC did not have the foresight to require that a longer path completely overrides a cookie with a shorter path (eg: in your example, you would receive Cookie: a=2 only).