Cookie headers are not RFC-6265 compliant, break on some web servers

[freerobby]

We have a rails app that sets a few cookies, e.g:

cookie[:foo1] = "bar1"
cookie[:foo2] = "bar2"
cookie[:foo3] = "bar3"

The Rack implementation of set_cookie is causing all cookies after the first cookie not to be set by web servers that obey the RFC-6265 spec. Rack should be sending multiple Set-Cookie headers, not stuffing all the cookies under one header.

In particular, this breaks on Torquebox/JBoss.

[freerobby]

You can check this IRC log for another complaint about this. Search for user "anachronistic" at 20:59.

[leahneukirchen]

Which handler are you using?

Handlers should be outputting headers["Set-Cookie"] = "foo\nbar\n\baz" as three headers.

[freerobby]

@chneukirchen We're running a template rails app running on the Torquebox stack. I don't think torquebox uses one of the included handlers.

My understanding is that the handler is supposed to translate Rack's headers hash into a string of newline-separated key-value pairs to send as response headers. Obviously, this ticket can't be fixed with Rack's hash data structure given that a hash cannot have duplicate keys. However, maybe I am misunderstanding the contract that Rack makes with its handlers. Are you saying that the handler (not Rack) is responsible for translating

Set-cookie:foo=bar;
foo2=bar2;
foo3=bar3;

into

Set-Cookie:foo=bar;
Set-Cookie:foo2=bar2;
Set-Cookie:foo3=bar3;

?

For reference, here is a header we are seeing come from Torquebox:

Set-Cookie:foo=bar; domain=.spreadaholic.com; path=/; expires=Fri, 13-Sep-2013 21:07:04 GMT s_id=37; domain=.spreadaholic.com; path=/; expires=Sat, 13-Sep-2014 21:07:04 GMT foo2=barr2; path=/ _session_id=[REDACTED]; domain=.spreadaholic.com; path=/; expires=Sat, 13-Oct-2012 21:07:04 GMT; HttpOnly

[leahneukirchen]

Yes: https://github.com/rack/rack/blob/master/SPEC#L144

[freerobby]

Thanks for the clarification, Christian; sorry for the red herring.