Adding multiple Set-Cookie Headers in ASP.NET Web

Question

I faced a problem.

When you add multiple Set-Cookie headers to the response

headers.Add("Set-Cookie", "a=b;Path=/;");
headers.Add("Set-Cookie", "c=d;Path=/;");

actually they are combined and only one header is sent with comma-separated cookies

Set-Cookie: a=b;Path=/;,c=d;Path=/;

According to RFC2109 it is a valid syntax. But it is not according to RFC6265, which deprecates RFC2109

Moreover latest browsers does not support this comma-separated syntax as well. Tested on IE9, Firefox 13 and Google Chrome 20.

All of these browsers took first cookie only.

Please see the sample project below

https://github.com/mnaoumov/cookie-bug/

I want to find some workaround.

I expect to have two different Set-Cookie headers.

I tried to write some MessageInspector to rewrite HTTP headers. I could not find how to access that headers.

Any ideas?

P.S. Used technology: Web API

Answer 1

According to answer on codeplex (http://aspnetwebstack.codeplex.com/workitem/288) this issue is known issue and related to WCF self-hosting and should be fixed by moving to IIS hosting.

This is WCF 4 issue which marked as won't fix.

Found another question with the same outcome WCF 4.0 Cookie Only First is Recorded by Browser.

Answer 2

You can use the HttpContext.Current.Response.SetCookie

using System.Web;


HttpCookie foo = new HttpCookie("foo", "true");
HttpContext.Current.Response.Cookies.Add(foo); 

HttpCookie bar = new HttpCookie("bar", "true");
HttpContext.Current.Response.Cookies.Add(bar);

This will add multiple set-cookies header in the response.

Edit: also, you should add the

<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true"/>

in your web.config