Hi, We've observed multiple gateways, operated by e.g. AT&T, COLT and Vodafone, that inject additional Cookie: headers into client requests, such as
Cookie: actually=from_the_client Cookie: Bearer-Type=w-TCP Cookie: network-access-type=UMTS Apache httpd merges those headers into a single, comma separated list, and also appends the names and values of all Cookies set in the additional Cookie Headers to the value of the last Cookie of the first header. This can be seeen by logging %{actually}C for the example above, which would contain actually=from_the_client, Bearer-Type=w-TCP, network-access-type=UMTS While RFC 6265 clearly requires that User-Agents send only a single Cookie: request header, I would argue that the Cookie header should be treated as an exception, similar to the Set-Cookie:-response header, and not be merged into a single header field. An alternative would be to use "; " as a separator. Any thoughts? rainer