Menu
I'm writing a small class that acts as a very basic HTTP client. As part of a project I'm working on, I'm making it cookie aware. However, it's unclear to me what happens when my client receives multiple "Set-Cookie" headers with the same key but different values are set.
For example,
Set-Cookie: PHPSESSID=abc; path=/
Set-Cookie: PHPSESSID=def; path=/
Set-Cookie: PHPSESSID=ghi; path=/
Which one of these is supposed to be the value for PHPSESSID? This usually ends up happening when you call session_start() and then session_regenerate_id() on the same page. Each will set its own header. All browsers seem to do okay with this, but I can't seem to get my client to pick the right one out.
Any ideas?!
643
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.
The Set-Cookie header is sent by the server in response to an HTTP request, which is used to create a cookie on the user's system. The Cookie header is included by the client application with an HTTP request sent to a server, if there is a cookie that has a matching domain and path.
From this article on SitePoint: If multiple cookies of the same name match a given request URI, one is chosen by the browser. The more specific the path, the higher the precedence. However precedence based on other attributes, including the domain, is unspecified, and may vary between browsers.
To send multiple Cookies in one cookie header, you can separate them with semicolons. In this Send Cookies example, we are sending HTTP cookies to the ReqBin echo URL. Click Send to execute Send Cookies example online and see the results.
RFC 6265 section 4.1.2 states:
If the user agent receives a new cookie with the same cookie-name,
domain-value, and path-value as a cookie that it has already stored,
the existing cookie is evicted and replaced with the new cookie.
Notice that servers can delete cookies by sending the user agent a
new cookie with an Expires attribute with a value in the past.
So I would process the headers in order given and overwrite them if there is a duplicate. So in your case you would have just one PHPSESSID=ghi.
87
RFC 6265 states:
Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name.
I would therefore be very concerned if your service sends multiple Set-Cookie headers with the same key. Especially because I have seen user agents and proxies behave unexpectedly - sometimes taking the value of the first header, sometimes rearranging headers.
As a client, the typical user agent behavior seems to be to take the value of the last header. The RFC alludes to that behavior with this statement:
If the user agent receives a new cookie with the same cookie-name, domain-value, and path-value as a cookie that it has already stored, the existing cookie is evicted and replaced with the new cookie.
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
