25

One HTTP Set-Cookie directive can only hold one cookie, is it right? I mean, one single name=value pair?

Gumbo
  • 643,351
  • 109
  • 780
  • 844
lovespring
  • 19,051
  • 42
  • 103
  • 153
  • Since you say directive, are we talking about htaccess or something? If so the tags should be redefined. Using javascript you can set however many cookies you please. – Sean Kinsey May 21 '10 at 06:47

1 Answers1

33

The original cookie specification of Netscape (see this cached version) does not say anything about listing multiple cookie declarations.

But as of Set-Cookie as defined by RFC 2109 allows a comma separated list of cookie declaration:

Informally, the Set-Cookie response header comprises the token Set-Cookie:, followed by a comma-separated list of one or more cookies. Each cookie begins with a NAME=VALUE pair, followed by zero or more semi-colon-separated attribute-value pairs.

The same applies to Set-Cookie2 as defined by RFC 2965:

Informally, the Set-Cookie2 response header comprises the token Set-Cookie2:, followed by a comma-separated list of one or more cookies. Each cookie begins with a NAME=VALUE pair, followed by zero or more semi-colon-separated attribute-value pairs.

But since most user agents still follow Netscape’s original specification, I would rather suggest to just declare each cookie with its own Set-Cookie header field.

This is also what the latest RFC 6265 reflects:

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field. The usual mechanism for folding HTTP headers fields (i.e., as defined in [RFC2616]) might change the semantics of the Set-Cookie header field because the %x2C (",") character is used by Set-Cookie in a way that conflicts with such folding.

Community
  • 1
  • 1
Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • The last specification is RFC6265, which doesn't say anything about several cookies in a single Set-Cookie header, as far as I can see: http://www.rfc-editor.org/rfc/rfc6265.txt – neu242 Mar 05 '12 at 10:26
  • 1
    I can confirm that Google Chrome has highly unusual parsing when you try to send multiple cookies, so it's certainly not advisable. It perplexed me for a great while on how to parse the cookie according to RFC 2109 since the "," character as a cookie separator does indeed make it basically impossible to parse. So, to put it simply, you just don't parse it. – A.B. Carroll Dec 03 '15 at 23:06
  • 1
    "But since most user agents still follow Netscape’s original specification" - is this still the case? Tried sending multiple cookie in one header today and it didn't work ... at least in chromium – Philipp Kyeck Feb 22 '21 at 12:28