5

I'm trying to set two cookies in Apache (2.2), using mod_header, like so:

Header set Set-Cookie "poodle=noodle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"
Header set Set-Cookie "tweedle=puddle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"

But only the last cookie is being sent to the browser. I've done some searching, but only found people having this problem with no solution. I've tried combining them into one:

Header set Set-Cookie "poodle=noodle;tweedle=puddle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"

Same problem. Do I need to use "Header append" instead? Any examples would be appreciated.

Spanky
  • 5,608
  • 10
  • 39
  • 45

2 Answers2

11

I would use mod_rewrite with the cookie flag the syntax is:

 [CO=NAME:VALUE:DOMAIN:lifetime:path:secure:httponly]

So you want something similar to:

RewriteEngine On
RewriteRule .* -  [CO=poodle:noodle:example.com:0:/:true:true]
RewriteRule .* -  [CO=tweedle:puddle:example.com:0:/:true:true]
Don
  • 184
  • 2
  • 3
  • 1
    Works great, thanks. I never noticed the [CO] section of the docs for mod_rewrite until now. – Spanky May 21 '13 at 20:30
10

According to the Apache manual http://httpd.apache.org/docs/current/mod/mod_headers.html#header you should use append:

Header append Set-Cookie "poodle=noodle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"
Header append Set-Cookie "tweedle=puddle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"

or according to HTTP use comma to separate multiple values:

Header append Set-Cookie "poodle=noodle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT, tweedle=puddle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"

or use Header add if you want avoid comma separated cookies in one header to follow suggestions in RFC 6265 section 3 (as noted by @SteveC):

Header add Set-Cookie "poodle=noodle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"
Header add Set-Cookie "tweedle=puddle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"
Cybot
  • 668
  • 7
  • 20
  • Do you hardcode the expires date on your Set-Cookie entry? How do you get that to be dynamic? – DavidGamba Apr 10 '15 at 20:05
  • you can use max-age attribute (http://tools.ietf.org/html/rfc6265) with seconds, or you do some math with the request time ... but i do not kow how. – Cybot Apr 14 '15 at 07:30
  • max-age doesn't work with IE11 or earlier: mrcoles.com/blog/cookies-max-age-vs-expires/ – DavidGamba Apr 14 '15 at 19:40
  • By the way, I asked how to set the expires dynamically in the Set-Cookie entry here: http://stackoverflow.com/q/29549963/1601989 – DavidGamba Apr 14 '15 at 21:40
  • 1
    You cannot use `Header append Set-Cookie` because this will just append the cookie value to any existing `Set-Cookie` header with a comma. This is forbidden by RFC6265. – Steve C May 29 '17 at 07:04
  • @SteveC, it is only "should not" and not forbidden - if your referring to section 3 of RFC6265, but you can use "Header add" instead of "append" for Set-Cookie – Cybot Jun 09 '17 at 09:51
  • `Header add` worked for me but the first two ways didn't work – Moe Feb 01 '21 at 10:00