Php's cookie parser can be more lax in treating ", " similar to "; ", that
would be a better avenue of redress. Otherwise they can adopt libapreq2's
cookie parsing code which has much richer support for merging cookie headers
written to different cookie specs.
Sent from my iPhone
> On Jun 28, 2016, at 7:58 PM, Joseph Schaefer <joe_schae...@yahoo.com> wrote:
>
> Anyways I agree with Bill that this isn't httpd's problem to fix. The cookie
> standards are abysmal which is why some level of strictness is required as
> regards the defacto httpd behavior to prevent all hell from breaking loose.
>
> Sent from my iPhone
>
>> On Jun 28, 2016, at 7:51 PM, Joseph Schaefer <joe_schae...@yahoo.com> wrote:
>>
>> Or use ssl so proxies can't monkey with the request headers.
>>
>> Sent from my iPhone
>>
>>> On Jun 28, 2016, at 7:48 PM, Joseph Schaefer <joe_schae...@yahoo.com> wrote:
>>>
>>> Sales pitch: use libapreq2, which gracefully handles merged cookie headers
>>> anyway.
>>>
>>> Sent from my iPhone
>>>
>>>> On Jun 28, 2016, at 6:39 PM, Joseph Schaefer <joe_schae...@yahoo.com>
>>>> wrote:
>>>>
>>>> The industry standard behavior regarding cookies is for user agents to
>>>> send at most a single cookie header, and for servers to avoid merging
>>>> set-cookie headers. The set-cookie2 header is merge able.
>>>>
>>>> Sent from my iPhone
>>>>
>>>>>> On Jun 28, 2016, at 6:14 PM, Rainer Canavan
>>>>>> <rainer.cana...@sevenval.com> wrote:
>>>>>>
>>>>>> On Tue, Jun 28, 2016 at 10:13 PM, William A Rowe Jr
>>>>>> <wr...@rowe-clan.net> wrote:
>>>>>> On Tue, Jun 28, 2016 at 2:29 PM, Rainer Canavan
>>>>>> <rainer.cana...@sevenval.com> wrote:
>>>>>>> It's not just the Cookie that's logged via %{}C that gets nonsense
>>>>>>> appended, but the cookie parser of e.g. PHP behaves the same. I think
>>>>>>> httpd could handle this better by not merging the headers or merging
>>>>>>> them in a way that is consistent with the syntax of the Cookie:
>>>>>>> response header. Since the original Cookie: header sent by the client
>>>>>>> gets corrupted by httpd, I'd even prefer dripping any additional
>>>>>>> headers over the current behaviour.
>>>>>>
>>>>>> That's not nonsense, and dropping isn't an option. You need to review
>>>>>>
>>>>>> https://tools.ietf.org/html/rfc7230#section-3.2.2
>>>>>>
>>>>>> and stop and explain your confusion so we can assist.
>>>>>
>>>>> I've read that already. The problem is that rfc 7230 explicitly states
>>>>> that Set-Cookie
>>>>> should be treated as a special case, but does not mention the Cookie
>>>>> request
>>>>> header, which suffers from similar problems. I agree that sending multiple
>>>>> Cookie headers is not allowed according to rfc 6265 and that combining
>>>>> them is perfectly fine according to rfc 7230, however, it's rather
>>>>> inconvenient
>>>>> and I believe it is unlikely that the current behavior is what the
>>>>> broken clients /
>>>>> proxies intend.
>>>>>
>>>>> rainer
>
