On Tue, Jun 28, 2016 at 6:09 PM, Graham Leggett <minf...@sharp.fm> wrote:
> On 28 Jun 2016, at 4:29 PM, Rainer Canavan <rainer.cana...@sevenval.com>
> wrote:
>
>> We've observed multiple gateways, operated by e.g. AT&T, COLT and
>> Vodafone, that inject additional Cookie: headers into client requests,
>> such as
>>
>> Cookie: actually=from_the_client
>> Cookie: Bearer-Type=w-TCP
>> Cookie: network-access-type=UMTS
>>
>> Apache httpd merges those headers into a single, comma separated list,
>> and also appends the names and values of all Cookies set in the
>> additional Cookie Headers to the value of the last Cookie of the first
>> header. This can be seeen by logging %{actually}C for the example
>> above, which would contain
>>
>> actually=from_the_client, Bearer-Type=w-TCP, network-access-type=UMTS
>>
>> While RFC 6265 clearly requires that User-Agents send only a single
>> Cookie: request header, I would argue that the Cookie header should be
>> treated as an exception, similar to the Set-Cookie:-response header,
>> and not be merged into a single header field. An alternative would be
>> to use "; " as a separator.
>>
>> Any thoughts?
>
> What problem are you trying to solve?
It's not just the Cookie that's logged via %{}C that gets nonsense
appended, but the cookie parser of e.g. PHP behaves the same. I think
httpd could handle this better by not merging the headers or merging
them in a way that is consistent with the syntax of the Cookie:
response header. Since the original Cookie: header sent by the client
gets corrupted by httpd, I'd even prefer dripping any additional
headers over the current behaviour.
rainer
