Multiple Set-cookie headers in HTTP

Question

I\'m writing a small class that acts as a very basic HTTP client. As part of a project I\'m working on, I\'m making it cookie aware. However, it\'s unclear to me what happens

Answer 1

RFC 6265 section 4.1.2 states:

If the user agent receives a new cookie with the same cookie-name,
domain-value, and path-value as a cookie that it has already stored,
the existing cookie is evicted and replaced with the new cookie.
Notice that servers can delete cookies by sending the user agent a
new cookie with an Expires attribute with a value in the past.

So I would process the headers in order given and overwrite them if there is a duplicate. So in your case you would have just one PHPSESSID=ghi.

Answer 2

RFC 6265 states:

Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name.

I would therefore be very concerned if your service sends multiple Set-Cookie headers with the same key. Especially because I have seen user agents and proxies behave unexpectedly - sometimes taking the value of the first header, sometimes rearranging headers.

As a client, the typical user agent behavior seems to be to take the value of the last header. The RFC alludes to that behavior with this statement:

If the user agent receives a new cookie with the same cookie-name, domain-value, and path-value as a cookie that it has already stored, the existing cookie is evicted and replaced with the new cookie.