New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie headers are not RFC-6265 compliant, break on some web servers #431
Comments
You can check this IRC log for another complaint about this. Search for user "anachronistic" at 20:59. |
Which handler are you using? Handlers should be outputting headers["Set-Cookie"] = "foo\nbar\n\baz" as three headers. |
@chneukirchen We're running a template rails app running on the Torquebox stack. I don't think torquebox uses one of the included handlers. My understanding is that the handler is supposed to translate Rack's headers hash into a string of newline-separated key-value pairs to send as response headers. Obviously, this ticket can't be fixed with Rack's hash data structure given that a hash cannot have duplicate keys. However, maybe I am misunderstanding the contract that Rack makes with its handlers. Are you saying that the handler (not Rack) is responsible for translating
into
? For reference, here is a header we are seeing come from Torquebox:
|
Thanks for the clarification, Christian; sorry for the red herring. |
We have a rails app that sets a few cookies, e.g:
cookie[:foo1] = "bar1"
cookie[:foo2] = "bar2"
cookie[:foo3] = "bar3"
The Rack implementation of set_cookie is causing all cookies after the first cookie not to be set by web servers that obey the RFC-6265 spec. Rack should be sending multiple Set-Cookie headers, not stuffing all the cookies under one header.
In particular, this breaks on Torquebox/JBoss.
The text was updated successfully, but these errors were encountered: