20

Semicolon ;, the Cookie: string or some other string?

Piotr Dobrogost
  • 41,292
  • 40
  • 236
  • 366
lovespring
  • 19,051
  • 42
  • 103
  • 153
  • Related: [Does Set-Cookie ever contain more than one cookie?](http://stackoverflow.com/questions/5872100/), [Is it possible to set more than one cookie with a single Set-Cookie?](http://stackoverflow.com/questions/2880047/) – Piotr Dobrogost Nov 24 '11 at 22:13

2 Answers2

38

Inspecting cookies in an HTTP request

The Cookie: header has the following syntax:

Cookie: <Name> = <Value> { ; <Name> = <Value> }

Hence individual cookies are separated with the semicolon and a space.

Setting cookies in an HTTP response

On the other hand, when setting a cookie in the response, there one cookie per the Set-Cookie: header:

Set-Cookie: <Name> = <Value> [ ; expires = <Date>] [ ; path = <Path> ] [ ; domain = <Domain> ] // etc…

To set multiple cookies the Set-Cookie header is repeated in an HTTP response.

Notes:

  • Have a look here for a tutorial with examples, and to RFC 6265 HTTP State Management Mechanism for a normative reference showing the full details of the syntax.
  • The now-obsolete RFC 2965 defined an alternate pair of headers Cookie2 and Set-Cookie2 which were abandoned.
  • The obsoleted versions of the HTTP State Management Mechanism (RFC 2109 and RFC 2965) provided a way to fold multiple Set-Cookie (or Set-Cookie2) headers into one. However, this folding is not recommended by the latest RFC 6265 spec.
Community
  • 1
  • 1
Ondrej Tucny
  • 27,626
  • 6
  • 70
  • 90
  • *On the other hand, when setting a cookie in the response, there one cookie per the `Set-Cookie:` header:* **Not true.** In section 4.2.1 of [RFC 2109](http://tools.ietf.org/html/rfc2109) one reads *An origin server may include multiple Set-Cookie headers in a response. Note that an intervening gateway could fold multiple such headers into a single header.* In section 4.2.2 of the same RFC one reads *Informally, the Set-Cookie response header comprises the token Set-Cookie:, followed by a comma separated list of one or more cookies.* – Piotr Dobrogost Nov 24 '11 at 20:25
  • @PiotrDobrogost RFC 2109 was obsoleted by RFC 2965, which in turn was obsoleted by RFC 6265. The latest spec recommends avoiding `Set-Cookie` folding. Both 2109 and 2965 do not support folding in the presented ABNF syntax. Thanks for pointing out this ambiguity. I will fix the RFC reference in my response. – Ondrej Tucny Nov 24 '11 at 21:23
  • *Both 2109 and 2965 do not support folding in the presented ABNF syntax.* **Not true** Presented ABNF syntax clearly supports multiple cookies in one `Set-Cookie` header (folding) - see my answer. – Piotr Dobrogost Nov 25 '11 at 11:30
  • @PiotrDobrogost Fixed in my answer. Thanks for pointing that out, I didn't notice the semantics of `1#cookie` syntax rule clearly. – Ondrej Tucny Nov 25 '11 at 18:34
  • 1
    *Hence individual cookies are separated with the semicolon.* **Not true**. The semicolon in the syntax of `Cookie:` header you present separates each `=` pair not each cookie as each cookie can have any number of such pairs. – Piotr Dobrogost Mar 14 '13 at 10:10
  • @PiotrDobrogost Section 4.2.2 of RFC 6265 reads: “Each cookie-pair represents a cookie stored by the user agent.”, where `cookie-pair = cookie-name "=" cookie-value`. So, can you please provide supportive evidence for you claim *and* downvote? – Ondrej Tucny Mar 14 '13 at 16:46
  • @PiotrDobrogost fair enough. – Ondrej Tucny Mar 14 '13 at 18:30
  • To clarify; in my comment above starting with *Hence (…)* when I was talking about `=` pairs I actually had in mind *attribute-value* pairs comprising *cookie-av* part of cookie as described in section 4.2.2 of RFC 2109. However *cookie-av* (and thus *attribute-value* pairs) is valid only when setting cookie by means of `Set-Cookie:` header not when sending back (in `Cookie:` header) a cookie which had been already set. – Piotr Dobrogost Oct 04 '17 at 08:58
  • One curious thing is that `Set-Cookie:` header's parsing algorithm described in section *5.2. The Set-Cookie Header* of RFC 6265 does not seem to allow more than one cookie (so called *folded cookies*) in this header although it is allowed in section *4.2.2 Set-Cookie Syntax* of RFC 2109. Till now I was convinced that RFC 6265 is backward compatible with RFC 2109 and RFC 2965 in regard to *consuming* header values which are valid according to these two earlier specifications… Am I missing something? – Piotr Dobrogost Oct 04 '17 at 09:07
  • 1
    "separated with the semicolon" - Although, they are actually separated by semicolon + _space_ (2 chars). https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cookie – MrWhite Nov 08 '20 at 13:38
1

The answer is a comma , sign.

In section 4.2.2 of RFC 2109 there's this specification of Set-Cookie header

   set-cookie      =       "Set-Cookie:" cookies
   cookies         =       1#cookie

with the following statement Informally, the Set-Cookie response header comprises the token Set-Cookie:, followed by a comma separated list of one or more cookies. (Formally meaning of # in the above notation is defined in RFC 733 in section A. NOTATIONAL CONVENTIONS, point 5

A construct "#" is defined, similar to "*", as follows:

              <l>#<m>element

indicating at least <l> and at most <m> elements, each separated by one or more commas (",").

Yes, RFC 2109 was obsoleted by RFC 2965, which in turn was obsoleted by RFC 6265.
No, it doesn't change anything in this context as

  • most existing HTTP servers and clients support RFC 2109
  • RFC 6265 does not forbid Set-Cookie folding
Community
  • 1
  • 1
Piotr Dobrogost
  • 41,292
  • 40
  • 236
  • 366
  • 1
    It matters a lot. RFC 6265 is supposed to describe what UAs actually do. – Julian Reschke Nov 25 '11 at 09:29
  • @JulianReschke Well in this case could you please tell us which of popular UAs do **not** handle folded `Set-Cookie` header? – Piotr Dobrogost Nov 25 '11 at 10:09
  • Piotr, I have no idea, and I don't have said so. I was just pointing out that RFC 6265 is supposed to accurately define how cookies work, as opposed to the older RFCs. – Julian Reschke Nov 27 '11 at 21:55
  • 4
    -1 because this answer directly contradicts the accepted answer, and the author of this answer even admits that it's not a comma in the comments thread of the accepted answer. Shouldn't this be answer be removed altogether?? – theyetiman Feb 11 '16 at 11:46
  • RFC 6265 doesn't *forbid* Set-Cookie folding (probably for backward compatibility), but it *discourages* it in the strongest terms using "SHOULD NOT": "Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field." – Lawrence Dol Oct 03 '17 at 22:17
  • I encountered a server that DID fold Set-Cookie headers recently, so this is definitely a thing that is out in the wild. – Jason Jan 12 '18 at 17:38