[#1500] Multiple Set-Cookie headers are combined into one which some browsers do not handle correctly

Date:
2010-05-11 10:45
Priority:
3
State:
Open
Submitted by:
Bernhard Herzog (bh)
Assigned to:
Nobody (None)
Hardware:
none
Product:
none
Operating System:
none
Component:
none
Version:
none
Severity:
none
Resolution:
none
URL:
Summary:
Multiple Set-Cookie headers are combined into one which some browsers do not handle correctly

Detailed description
When a HTTP-response contains a header field multiple times, Python's httplib combines them into one field by joining their values with commas. This is allowed according to rfc2616 (HTTP/1.1) and rfc1945 (HTTP/1.0). This should also be OK specificially for the Set-Cookie header field whose syntax according to rfc2109 allows multiple cookies in one Set-Cookie header field when they are comma-separated.

However, at least Firefox does not support this and will ony accept the first cookie and ignore the others. This means that some web-sites may appear to be broken when they are accessed through InteProxy Desktop when used as a HTTP-Proxy.

More info: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies which explains that:

every Set-Cookie header sent by the server consists of one or more
comma-separated NAME=VALUE pairs, followed by a number of additional
semicolon-separated parameters or keywords. In practice, a vast majority
of browsers support only a single pair

No comments have been posted

No attached documents

No changes have been made to this item