Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set-cookie headers should not include comma separated values #779

Closed
yunong opened this issue Mar 17, 2015 · 2 comments
Closed

set-cookie headers should not include comma separated values #779

yunong opened this issue Mar 17, 2015 · 2 comments
Assignees
@yunong
Labels
Bug

Comments

@yunong
Copy link
Member

yunong commented Mar 17, 2015

According to http://tools.ietf.org/html/rfc6265#section-3

   Origin servers SHOULD NOT fold multiple Set-Cookie header fields into
   a single header field.  The usual mechanism for folding HTTP headers
   fields (i.e., as defined in [RFC2616]) might change the semantics of
   the Set-Cookie header field because the %x2C (",") character is used
   by Set-Cookie in a way that conflicts with such folding.

set-cookie headers should not include comma separated values -- however, with PR #693 this is enabled comma separated values for all headers, including set-cookie, which breaks browser parsing of set-cookie headers.
@yunong yunong self-assigned this Mar 17, 2015
@yunong yunong added the Bug label Mar 17, 2015
yunong added a commit that referenced this issue Mar 17, 2015
@yunong
#779 do not comma seperate set-cookie headers
35df9ee
@yunong
Copy link
Member Author

yunong commented Mar 17, 2015

fixed

@yunong yunong closed this as completed Mar 17, 2015
@DonutEspresso DonutEspresso mentioned this issue Jan 4, 2016
Closed
@jocull jocull mentioned this issue Jan 4, 2016
Merged
@lrowe
Copy link
Contributor

lrowe commented Nov 21, 2017

The HTTP RFC only disallows the merging of multiple Set-Cookie headers into a single header. Multiple Set-Cookie headers are common and necessary.

Testing back to the latest Node 4.x LTS release, resposne.setHeader("Set-Cookie", ["a=1", "b=2"]) will render a multiple Set-Cookie values correctly:

$ curl "http://localhost:3000/" -v
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 3000 (#0)
> GET / HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/7.43.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Set-Cookie: a=1
< Set-Cookie: b=2
< Date: Tue, 21 Nov 2017 20:19:28 GMT
< Connection: keep-alive
< Content-Length: 21
< 
* Connection #0 to host localhost left intact

@lrowe lrowe mentioned this issue Nov 21, 2017
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yunong yunong

Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lrowe @yunong