Multiple Set-cookie headers in HTTP

Question

I\'m writing a small class that acts as a very basic HTTP client. As part of a project I\'m working on, I\'m making it cookie aware. However, it\'s unclear to me what happens

Answer 1

RFC 6265 states:

Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name.

I would therefore be very concerned if your service sends multiple Set-Cookie headers with the same key. Especially because I have seen user agents and proxies behave unexpectedly - sometimes taking the value of the first header, sometimes rearranging headers.

As a client, the typical user agent behavior seems to be to take the value of the last header. The RFC alludes to that behavior with this statement:

If the user agent receives a new cookie with the same cookie-name, domain-value, and path-value as a cookie that it has already stored, the existing cookie is evicted and replaced with the new cookie.