Hi,
We've observed multiple gateways, operated by e.g. AT&T, COLT and
Vodafone, that inject additional Cookie: headers into client requests,
such as
Cookie: actually=from_the_client
Cookie: Bearer-Type=w-TCP
Cookie: network-access-type=UMTS
Apache httpd merges those headers into a single, comma separated list,
and also appends the names and values of all Cookies set in the
additional Cookie Headers to the value of the last Cookie of the first
header. This can be seeen by logging %{actually}C for the example
above, which would contain
actually=from_the_client, Bearer-Type=w-TCP, network-access-type=UMTS
While RFC 6265 clearly requires that User-Agents send only a single
Cookie: request header, I would argue that the Cookie header should be
treated as an exception, similar to the Set-Cookie:-response header,
and not be merged into a single header field. An alternative would be
to use "; " as a separator.
Any thoughts?
rainer
