Skip to content

Commit

Permalink
Clarified Cookie header behaviour in HTTP/2
Browse files Browse the repository at this point in the history
  • Loading branch information
LucidDan authored Nov 10, 2023
1 parent 0c7b964 commit d95e378
Showing 1 changed file with 19 additions and 4 deletions.
23 changes: 19 additions & 4 deletions specs/www.rst
Original file line number Diff line number Diff line change
Expand Up @@ -43,14 +43,29 @@ states that for any header field that can appear multiple times, it is exactly
equivalent to sending that header field only once with all the values joined by
commas.

However, RFC 7230 and RFC 6265 make it clear that this rule does not apply to
the various headers used by HTTP cookies (``Cookie`` and ``Set-Cookie``). The
``Cookie`` header must only be sent once by a user-agent, but the
``Set-Cookie`` header may appear repeatedly and cannot be joined by commas.
However, for HTTP cookies (``Cookie`` and ``Set-Cookie``) the allowed behaviour
does not follow the above rule, and also varies slightly based on the HTTP
protocol version:

* For the ``Set-Cookie`` header in HTTP/1.0, HTTP/1.1 and HTTP2.0, it may appear
repeatedly, but cannot be concatenated by commas (or anything else) into a
single header field.

* For the ``Cookie`` header, in HTTP/1.0 and HTTP/1.1, RFC 7230 and RFC 6265
make it clear that the ``Cookie`` header must only be sent once by a
user-agent, and must be concatenated into a single octet string using the
two-octet delimiter of 0x3b, 0x20 (the ASCII string "; "). However in HTTP/2,
RFC 9113 states that ``Cookie`` headers MAY appear repeatedly, OR be
concatenated using the two-octet delimiter of 0x3b, 0x20
(the ASCII string "; ").

The ASGI design decision is to transport both request and response headers as
lists of 2-element ``[name, value]`` lists and preserve headers exactly as they
were provided.

For ASGI applications that support HTTP/2, care should be taken to handle the
special case for ``Cookie`` noted above.

The HTTP protocol should be signified to ASGI applications with a ``type``
value of ``http``.

Expand Down

0 comments on commit d95e378

Please sign in to comment.