Semicolon <code>;</code>, the <code>Cookie:</code> string or some other string?

<h3>Inspecting cookies in an HTTP request</h3> The <code>Cookie:</code> header has the following syntax: <pre class="prettyprint"><code>Cookie: <Name> = <Value> { ; <Name> = <Value> } </code></pre> Hence individual cookies are separated with the semicolon and a space. <h3>Setting cookies in an HTTP response</h3> On the other hand, when setting a cookie in the response, there one cookie per the <code>Set-Cookie:</code> header: <pre class="prettyprint"><code>Set-Cookie: <Name> = <Value> [ ; expires = <Date>] [ ; path = <Path> ] [ ; domain = <Domain> ] // etc… </code></pre> To set multiple cookies the <code>Set-Cookie</code> header is repeated in an HTTP response. <hr> Notes: <ul> <li>Have a look here for a tutorial with examples, and to RFC 6265 HTTP State Management Mechanism for a normative reference showing the full details of the syntax.</li> <li>The now-obsolete RFC 2965 defined an alternate pair of headers <code>Cookie2</code> and <code>Set-Cookie2</code> which were abandoned.</li> <li>The obsoleted versions of the HTTP State Management Mechanism (RFC 2109 and RFC 2965) provided a way to fold multiple <code>Set-Cookie</code> (or <code>Set-Cookie2</code>) headers into one. However, this folding is not recommended by the latest RFC 6265 spec.</li> </ul>

The answer is a comma <code>,</code> sign. In section 4.2.2 of RFC 2109 there's this specification of <code>Set-Cookie</code> header <pre class="prettyprint"><code> set-cookie = "Set-Cookie:" cookies cookies = 1#cookie </code></pre> with the following statement Informally, the Set-Cookie response header comprises the token Set-Cookie:, followed by a comma separated list of one or more cookies. (Formally meaning of <code>#</code> in the above notation is defined in RFC 733 in section A. NOTATIONAL CONVENTIONS, point 5 <blockquote> A construct "#" is defined, similar to "*", as follows: <pre class="prettyprint"><code> <l>#<m>element </code></pre> indicating at least <code><l></code> and at most <code><m></code> elements, each separated by one or more commas (","). </blockquote> Yes, RFC 2109 was obsoleted by RFC 2965, which in turn was obsoleted by RFC 6265. No, it doesn't change anything in this context as <ul> <li>most existing HTTP servers and clients support RFC 2109</li> <li>RFC 6265 does not forbid <code>Set-Cookie</code> folding</li> </ul>

In HTTP specification, what is the string that separates cookies?

Semicolon ;, the Cookie: string or some other string?

How are cookies separated?

Each cookie is separated by a comma , and each cookie attributes are separated by semicolons ; . The two values required are the first name=value pair which are always string values.

What HTTP part include cookies?

The Cookie HTTP request header contains stored HTTP cookies associated with the server (i.e. previously sent by the server with the Set-Cookie header or set in JavaScript using Document. cookie ). The Cookie header is optional and may be omitted if, for example, the browser's privacy settings block cookies.

What header line in HTTP response message is used for cookies?

The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later.

Where are cookies stored in HTTP?

The cookie file is stored in the user's browser application data folder. Later, the browser automatically sends this cookie as part of the request.

Inspecting cookies in an HTTP request

The Cookie: header has the following syntax:

Cookie: <Name> = <Value> { ; <Name> = <Value> }

Hence individual cookies are separated with the semicolon and a space.

Setting cookies in an HTTP response

On the other hand, when setting a cookie in the response, there one cookie per the Set-Cookie: header:

Set-Cookie: <Name> = <Value> [ ; expires = <Date>] [ ; path = <Path> ] [ ; domain = <Domain> ] // etc…

To set multiple cookies the Set-Cookie header is repeated in an HTTP response.

Notes:

Have a look here for a tutorial with examples, and to RFC 6265 HTTP State Management Mechanism for a normative reference showing the full details of the syntax.
The now-obsolete RFC 2965 defined an alternate pair of headers Cookie2 and Set-Cookie2 which were abandoned.
The obsoleted versions of the HTTP State Management Mechanism (RFC 2109 and RFC 2965) provided a way to fold multiple Set-Cookie (or Set-Cookie2) headers into one. However, this folding is not recommended by the latest RFC 6265 spec.

The answer is a comma , sign.

In section 4.2.2 of RFC 2109 there's this specification of Set-Cookie header

   set-cookie      =       "Set-Cookie:" cookies
   cookies         =       1#cookie

with the following statement Informally, the Set-Cookie response header comprises the token Set-Cookie:, followed by a comma separated list of one or more cookies. (Formally meaning of # in the above notation is defined in RFC 733 in section A. NOTATIONAL CONVENTIONS, point 5

A construct "#" is defined, similar to "*", as follows:
 <l>#<m>element
indicating at least <l> and at most <m> elements, each separated by one or more commas (",").

Yes, RFC 2109 was obsoleted by RFC 2965, which in turn was obsoleted by RFC 6265.
No, it doesn't change anything in this context as

most existing HTTP servers and clients support RFC 2109
RFC 6265 does not forbid Set-Cookie folding

In HTTP specification, what is the string that separates cookies?

Tags:

lovespring

People also ask

2 Answers

Inspecting cookies in an HTTP request

Setting cookies in an HTTP response

Ondrej Tucny

Piotr Dobrogost

Recent Activity

Donate For Us

In HTTP specification, what is the string that separates cookies?

Tags:

lovespring

People also ask

2 Answers

Inspecting cookies in an HTTP request

Setting cookies in an HTTP response

Ondrej Tucny

Piotr Dobrogost

Related questions

Recent Activity

Donate For Us