> -----Original Message----- > From: Rainer Canavan [mailto:rainer.cana...@sevenval.com] > Sent: Dienstag, 28. Juni 2016 16:30 > To: dev@httpd.apache.org > Subject: Mergine of Multiple Cookie Headers > > Hi, > > We've observed multiple gateways, operated by e.g. AT&T, COLT and > Vodafone, that inject additional Cookie: headers into client requests, > such as > > Cookie: actually=from_the_client > Cookie: Bearer-Type=w-TCP > Cookie: network-access-type=UMTS > > Apache httpd merges those headers into a single, comma separated list, > and also appends the names and values of all Cookies set in the > additional Cookie Headers to the value of the last Cookie of the first > header. This can be seeen by logging %{actually}C for the example > above, which would contain > > actually=from_the_client, Bearer-Type=w-TCP, network-access-type=UMTS > > While RFC 6265 clearly requires that User-Agents send only a single > Cookie: request header, I would argue that the Cookie header should be > treated as an exception, similar to the Set-Cookie:-response header, > and not be merged into a single header field. An alternative would be > to use "; " as a separator. > > Any thoughts?
How about RequestHeader edit* Cookie ", " "; " Regards Rüdiger
