Multiple cookie headers need special-case concatenation using ; instead of ,

[isaacs]

Version: v8.0.0-pre
Platform: Darwin geegaw.local 16.4.0 Darwin Kernel Version 16.4.0: Thu Dec 22 22:53:21 PST 2016; root:xnu-3789.41.3~3/RELEASE_X86_64 x86_64
Subsystem: http

Example program:

require('http').createServer(function (q, s) {
  console.error(q.headers.cookie)
  s.end(q.headers.cookie + '\n')
}).listen(8080))

$ curl localhost:8080 -H cookie:foo=bar -H cookie:baz=boo
foo=bar, baz=boo

Expected output:

$ curl localhost:8080 -H cookie:foo=bar -H cookie:baz=boo
foo=bar; baz=boo

Explanation

Unlike most headers, multiple cookie headers should be concatenated using a ; rather than a ,. Most web browsers handle this already, by only ever sending a single cookie header which is already joined with semicolons.

However, clients MAY send multiple cookie headers, which Node then automatically concatenates using commas. (The specified mechanism for joining multiple headers in most cases.)

This throws off userland cookie-parsing logic, especially because , is a valid character in the cookie value, and in fact must be used to specify a cookie expiration date.

Suggestion

Server: Special-case concatenating multiple cookie request headers using a ; instead of a ,.

Client: When sending multiple cookie headers with headers: { cookie: ['x=y', 'a=b' ] }, concatenate them in the request using ; rather than ,.

I suspect that this didn't come up before because web browsers and userland client cookiejars already do this properly.