From the /ServiceModel/AuthService.svc/Login authorization API respond with 4 Set-Cookie headers in the response. But according to the spec [https://datatracker.ietf.org/doc/html/rfc6265#section-4.1] , "Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name." From the client application, it can't get the all 4 header values, only first one retrievable. Could you please give a fix or suitable workaround for this.
Like
Hi Anusha,
it's now allowed in HTTP/2 (https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.5), which specifies:
8.1.2.5. Compressing the Cookie Header Field The Cookie header field [COOKIE] uses a semi-colon (";") to delimit cookie-pairs (or "crumbs"). This header field doesn't follow the list construction rules in HTTP (see [RFC7230], Section 3.2.2), which prevents cookie-pairs from being separated into different name-value pairs. This can significantly reduce compression efficiency as individual cookie-pairs are updated. To allow for better compression efficiency, the Cookie header field MAY be split into separate header fields, each with one or more cookie-pairs. If there are multiple Cookie header fields after decompression, these MUST be concatenated into a single octet string using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ") before being passed into a non-HTTP/2 context, such as an HTTP/1.1 connection, or a generic HTTP server application. Therefore, the following two lists of Cookie header fields are semantically equivalent. cookie: a=b; c=d; e=f cookie: a=b cookie: c=d cookie: e=f
Please also check out this article:
https://datatracker.ietf.org/doc/html/rfc6265#page-7
Best Regards,
Bogdan L.
Hi Anusha,
it's now allowed in HTTP/2 (https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.5), which specifies:
8.1.2.5. Compressing the Cookie Header Field The Cookie header field [COOKIE] uses a semi-colon (";") to delimit cookie-pairs (or "crumbs"). This header field doesn't follow the list construction rules in HTTP (see [RFC7230], Section 3.2.2), which prevents cookie-pairs from being separated into different name-value pairs. This can significantly reduce compression efficiency as individual cookie-pairs are updated. To allow for better compression efficiency, the Cookie header field MAY be split into separate header fields, each with one or more cookie-pairs. If there are multiple Cookie header fields after decompression, these MUST be concatenated into a single octet string using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ") before being passed into a non-HTTP/2 context, such as an HTTP/1.1 connection, or a generic HTTP server application. Therefore, the following two lists of Cookie header fields are semantically equivalent. cookie: a=b; c=d; e=f cookie: a=b cookie: c=d cookie: e=f
Please also check out this article:
https://datatracker.ietf.org/doc/html/rfc6265#page-7
Best Regards,
Bogdan L.