Semicolon <code>;</code>, the <code>Cookie:</code> string or some other string?

<h3>Inspecting cookies in an HTTP request</h3> The <code>Cookie:</code> header has the following syntax: <pre class="prettyprint"><code>Cookie: <Name> = <Value> { ; <Name> = <Value> } </code></pre> Hence individual cookies are separated with the semicolon and a space. <h3>Setting cookies in an HTTP response</h3> On the other hand, when setting a cookie in the response, there one cookie per the <code>Set-Cookie:</code> header: <pre class="prettyprint"><code>Set-Cookie: <Name> = <Value> [ ; expires = <Date>] [ ; path = <Path> ] [ ; domain = <Domain> ] // etc… </code></pre> To set multiple cookies the <code>Set-Cookie</code> header is repeated in an HTTP response. <hr> Notes: <ul> <li>Have a look here for a tutorial with examples, and to RFC 6265 HTTP State Management Mechanism for a normative reference showing the full details of the syntax.</li> <li>The now-obsolete RFC 2965 defined an alternate pair of headers <code>Cookie2</code> and <code>Set-Cookie2</code> which were abandoned.</li> <li>The obsoleted versions of the HTTP State Management Mechanism (RFC 2109 and RFC 2965) provided a way to fold multiple <code>Set-Cookie</code> (or <code>Set-Cookie2</code>) headers into one. However, this folding is not recommended by the latest RFC 6265 spec.</li> </ul>

The answer is a comma <code>,</code> sign. In section 4.2.2 of RFC 2109 there's this specification of <code>Set-Cookie</code> header <pre class="prettyprint"><code> set-cookie = "Set-Cookie:" cookies cookies = 1#cookie </code></pre> with the following statement Informally, the Set-Cookie response header comprises the token Set-Cookie:, followed by a comma separated list of one or more cookies. (Formally meaning of <code>#</code> in the above notation is defined in RFC 733 in section A. NOTATIONAL CONVENTIONS, point 5 <blockquote> A construct "#" is defined, similar to "*", as follows: <pre class="prettyprint"><code> <l>#<m>element </code></pre> indicating at least <code><l></code> and at most <code><m></code> elements, each separated by one or more commas (","). </blockquote> Yes, RFC 2109 was obsoleted by RFC 2965, which in turn was obsoleted by RFC 6265. No, it doesn't change anything in this context as <ul> <li>most existing HTTP servers and clients support RFC 2109</li> <li>RFC 6265 does not forbid <code>Set-Cookie</code> folding</li> </ul>

In HTTP specification, what is the string that separates cookies?

2 Answers

Inspecting cookies in an HTTP request

The Cookie: header has the following syntax:

Cookie: <Name> = <Value> { ; <Name> = <Value> }

Hence individual cookies are separated with the semicolon and a space.

Setting cookies in an HTTP response

On the other hand, when setting a cookie in the response, there one cookie per the Set-Cookie: header:

Set-Cookie: <Name> = <Value> [ ; expires = <Date>] [ ; path = <Path> ] [ ; domain = <Domain> ] // etc…

To set multiple cookies the Set-Cookie header is repeated in an HTTP response.

Notes:

Have a look here for a tutorial with examples, and to RFC 6265 HTTP State Management Mechanism for a normative reference showing the full details of the syntax.
The now-obsolete RFC 2965 defined an alternate pair of headers Cookie2 and Set-Cookie2 which were abandoned.
The obsoleted versions of the HTTP State Management Mechanism (RFC 2109 and RFC 2965) provided a way to fold multiple Set-Cookie (or Set-Cookie2) headers into one. However, this folding is not recommended by the latest RFC 6265 spec.

153

answered Sep 20 '22 11:09

Ondrej Tucny

The answer is a comma , sign.

In section 4.2.2 of RFC 2109 there's this specification of Set-Cookie header

   set-cookie      =       "Set-Cookie:" cookies
   cookies         =       1#cookie

with the following statement Informally, the Set-Cookie response header comprises the token Set-Cookie:, followed by a comma separated list of one or more cookies. (Formally meaning of # in the above notation is defined in RFC 733 in section A. NOTATIONAL CONVENTIONS, point 5

A construct "#" is defined, similar to "*", as follows:
 <l>#<m>element
indicating at least <l> and at most <m> elements, each separated by one or more commas (",").

Yes, RFC 2109 was obsoleted by RFC 2965, which in turn was obsoleted by RFC 6265.
No, it doesn't change anything in this context as

most existing HTTP servers and clients support RFC 2109
RFC 6265 does not forbid Set-Cookie folding

answered Sep 21 '22 11:09

Piotr Dobrogost

Related questions
                            
                                jquery val() contains()
                            
                                Const Methods that Return References
                            
                                How does --$| work in Perl?
                            
                                IE9 Support for HTML5 Canvas tag
                            
                                Can't get pluralize/singularize working with ActiveSupport::Inflector (in irb)
                            
                                Get list of local computer usernames in Windows
                            
                                Explicitly set MySQL table storage engine using South and Django
                            
                                Why is my form_tag method a post when I am asking for a get?
                            
                                complexity of recursive string permutation function
                            
                                asp.net web forms json return result
                            
                                Casting from one pointer to pointer type to another in Golang error
                            
                                (Scale) Zoom into a UIView at a point

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With

In HTTP specification, what is the string that separates cookies?

Tags:

lovespring

People also ask