stackoom
  简体   繁体   中英

Multiple Set-cookie headers in HTTP

 原文  2010-09-27 17:13:57       http/ browser/ http-headers

Question

I'm writing a small class that acts as a very basic HTTP client. As part of a project I'm working on, I'm making it cookie aware. However, it's unclear to me what happens when my client receives multiple "Set-Cookie" headers with the same key but different values are set.

For example, 

Set-Cookie: PHPSESSID=abc; path=/
Set-Cookie: PHPSESSID=def; path=/
Set-Cookie: PHPSESSID=ghi; path=/

Which one of these is supposed to be the value for PHPSESSID? This usually ends up happening when you call session_start() and then session_regenerate_id() on the same page. Each will set its own header. All browsers seem to do okay with this, but I can't seem to get my client to pick the right one out.

Any ideas?!

3 answers

solution1
 27  2011-10-20 02:49:20

RFC 6265 section 4.1.2 states:

If the user agent receives a new cookie with the same cookie-name,
domain-value, and path-value as a cookie that it has already stored,
the existing cookie is evicted and replaced with the new cookie.
Notice that servers can delete cookies by sending the user agent a
new cookie with an Expires attribute with a value in the past.

So I would process the headers in order given and overwrite them if there is a duplicate. So in your case you would have just one PHPSESSID=ghi.

solution2
 19  2014-07-24 20:32:06

RFC 6265 states:

Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name.

I would therefore be very concerned if your service sends multiple Set-Cookie headers with the same key. Especially because I have seen user agents and proxies behave unexpectedly - sometimes taking the value of the first header, sometimes rearranging headers.

As a client, the typical user agent behavior seems to be to take the value of the last header. The RFC alludes to that behavior with this statement:

If the user agent receives a new cookie with the same cookie-name, domain-value, and path-value as a cookie that it has already stored, the existing cookie is evicted and replaced with the new cookie.

solution3
 2  2010-09-27 17:29:47

答案应该是draft-ietf-httpstate-cookie

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Setting multiple set-cookie headers in Dart with Shelf Where do http cookies come from, which are not set by “Set-Cookie” response headers? Sending “Set-Cookie” in a Python HTTP server Double Set-Cookie: PHPSESSID in http response $http response Set-Cookie not accessible Set-Cookie Headers ignored by Cache, but can subsequent “Cookie” headers cause session-poisoning Reading the Set-Cookie instructions in an HTTP Response header Set-Cookie doesn't set the cookie Set-Cookie: Wildcard “Path” GWT Preventing Set-Cookie HTTP Header from Actually Setting Cookie?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM