In HTTP specification, what is the string that separates cookies?

The answer is a comma , sign.

In section 4.2.2 of RFC 2109 there's this specification of Set-Cookie header

   set-cookie      =       "Set-Cookie:" cookies
   cookies         =       1#cookie

with the following statement Informally, the Set-Cookie response header comprises the token Set-Cookie:, followed by a comma separated list of one or more cookies. (Formally meaning of # in the above notation is defined in RFC 733 in section A. NOTATIONAL CONVENTIONS, point 5

A construct "#" is defined, similar to "*", as follows:

              <l>#<m>element

indicating at least <l> and at most <m> elements, each separated by one or more commas (",").

Yes, RFC 2109 was obsoleted by RFC 2965, which in turn was obsoleted by RFC 6265.
No, it doesn't change anything in this context as

  • most existing HTTP servers and clients support RFC 2109
  • RFC 6265 does not forbid Set-Cookie folding

Inspecting cookies in an HTTP request

The Cookie: header has the following syntax:

Cookie: <Name> = <Value> { ; <Name> = <Value> }

Hence individual cookies are separated with the semicolon and a space.

Setting cookies in an HTTP response

On the other hand, when setting a cookie in the response, there one cookie per the Set-Cookie: header:

Set-Cookie: <Name> = <Value> [ ; expires = <Date>] [ ; path = <Path> ] [ ; domain = <Domain> ] // etc…

To set multiple cookies the Set-Cookie header is repeated in an HTTP response.


Notes:

  • Have a look here for a tutorial with examples, and to RFC 6265 HTTP State Management Mechanism for a normative reference showing the full details of the syntax.
  • The now-obsolete RFC 2965 defined an alternate pair of headers Cookie2 and Set-Cookie2 which were abandoned.
  • The obsoleted versions of the HTTP State Management Mechanism (RFC 2109 and RFC 2965) provided a way to fold multiple Set-Cookie (or Set-Cookie2) headers into one. However, this folding is not recommended by the latest RFC 6265 spec.