In HTTP specification, what is the string that separates cookies?
The answer is a comma ,
sign.
In section 4.2.2 of RFC 2109 there's this specification of Set-Cookie
header
set-cookie = "Set-Cookie:" cookies
cookies = 1#cookie
with the following statement Informally, the Set-Cookie response header comprises the token Set-Cookie:, followed by a comma separated list of one or more cookies. (Formally meaning of #
in the above notation is defined in RFC 733 in section A. NOTATIONAL CONVENTIONS, point 5
A construct "#" is defined, similar to "*", as follows:
<l>#<m>element
indicating at least
<l>
and at most<m>
elements, each separated by one or more commas (",").
Yes, RFC 2109 was obsoleted by RFC 2965, which in turn was obsoleted by RFC 6265.
No, it doesn't change anything in this context as
- most existing HTTP servers and clients support RFC 2109
- RFC 6265 does not forbid
Set-Cookie
folding
Inspecting cookies in an HTTP request
The Cookie:
header has the following syntax:
Cookie: <Name> = <Value> { ; <Name> = <Value> }
Hence individual cookies are separated with the semicolon and a space.
Setting cookies in an HTTP response
On the other hand, when setting a cookie in the response, there one cookie per the Set-Cookie:
header:
Set-Cookie: <Name> = <Value> [ ; expires = <Date>] [ ; path = <Path> ] [ ; domain = <Domain> ] // etc…
To set multiple cookies the Set-Cookie
header is repeated in an HTTP response.
Notes:
- Have a look here for a tutorial with examples, and to RFC 6265 HTTP State Management Mechanism for a normative reference showing the full details of the syntax.
- The now-obsolete RFC 2965 defined an alternate pair of headers
Cookie2
andSet-Cookie2
which were abandoned. - The obsoleted versions of the HTTP State Management Mechanism (RFC 2109 and RFC 2965) provided a way to fold multiple
Set-Cookie
(orSet-Cookie2
) headers into one. However, this folding is not recommended by the latest RFC 6265 spec.