Multiple Set-Cookie headers are not well supported

[richanna]

The Set-Cookie header can occur multiple times but does not adhere to the list syntax, and thus is not well supported by the header field value concatenation rules.

[jricher]

Tagging @sbingler for feedback and discussion.

[sbingler]

Thanks, just for clarification are you looking for immediate-ish feedback from me or is this more of an FYI for future discussions?

[jricher]

Upon further investigation, I believe that combining multiple Set-Cookie fields within a signature is actually fine. The resulting value is not able to be reliably parsed, but it doesn't need to be! The canonicalized value is simply the concatenated string with defined separators between the individual values. The fact that the result is not itself a valid header value for Set-Cookie is weird, and should be called out, but I don't believe it actually negatively affects the signature process.