Affects Version/s: 6.2.3 CE GA4, 6.2.10 EE GA1, 6.2.X EE, 7.0.0 M6
Component/s: Core Infrastructure
- Start portal
- Open a new browser session or delete browser cache/cookies
- Open the dev toolbar of your browser and switch to the Network tab
- Access the portal: http://localhost:8080
Observe the response headers for localhost:
Related parts of the "Set-Cookie" spec.
4. Server Requirements
"Set-Cookie - syntax & semantics":
Servers SHOULD NOT include more than one Set-Cookie header field in
the same response with the same cookie-name. (See Section 5.2 for
how user agents handle this case.)
If the user agent receives a new cookie with the same cookie-name,
domain-value, and path-value as a cookie that it has already stored,
the existing cookie is evicted and replaced with the new cookie.
Notice that servers can delete cookies by sending the user agent a
new cookie with an Expires attribute with a value in the past.
Based on this, user agents handle such cases in a LIFO-like way.
5. User Agent Requirements
Set-Cookie - header: https://tools.ietf.org/html/rfc6265#section-5.2
5.2. The Set-Cookie Header
When a user agent receives a Set-Cookie header field in an HTTP
response, the user agent MAY ignore the Set-Cookie header field in
its entirety. For example, the user agent might wish to block
responses to "third-party" requests from setting cookies (see
If the user agent does not ignore the Set-Cookie header field in its
entirety, the user agent MUST parse the field-value of the Set-Cookie
header field as a set-cookie-string (defined below).
NOTE: The algorithm below is more permissive than the grammar in
Section 4.1. For example, the algorithm strips leading and trailing
whitespace from the cookie name and value (but maintains internal
whitespace), whereas the grammar in Section 4.1 forbids whitespace in
these positions. User agents use this algorithm so as to
interoperate with servers that do not follow the recommendations in