On Tue, Jun 28, 2016 at 10:13 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > On Tue, Jun 28, 2016 at 2:29 PM, Rainer Canavan > <rainer.cana...@sevenval.com> wrote: >> It's not just the Cookie that's logged via %{}C that gets nonsense >> appended, but the cookie parser of e.g. PHP behaves the same. I think >> httpd could handle this better by not merging the headers or merging >> them in a way that is consistent with the syntax of the Cookie: >> response header. Since the original Cookie: header sent by the client >> gets corrupted by httpd, I'd even prefer dripping any additional >> headers over the current behaviour. > > That's not nonsense, and dropping isn't an option. You need to review > > https://tools.ietf.org/html/rfc7230#section-3.2.2 > > and stop and explain your confusion so we can assist.
I've read that already. The problem is that rfc 7230 explicitly states that Set-Cookie should be treated as a special case, but does not mention the Cookie request header, which suffers from similar problems. I agree that sending multiple Cookie headers is not allowed according to rfc 6265 and that combining them is perfectly fine according to rfc 7230, however, it's rather inconvenient and I believe it is unlikely that the current behavior is what the broken clients / proxies intend. rainer