Cookie.parse ignores multiple field values

[jcoglan]

Per RFC 2616:

Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. The order in which header fields with the same field-name are received is therefore significant to the interpretation of the combined field value, and thus a proxy MUST NOT change the order of these field values when a message is forwarded.

If you pass a set-cookie header to Cookie.parse and that header contains multiple comma-separated field values, the first value is parsed correctly but subsequent ones are ignored. For example:

var Cookie = require('tough-cookie').Cookie;

var str = 'id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT, qwerty=219ffwef9w0f';
var c = Cookie.parse(str);

console.log(c);
// -> Cookie="id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; hostOnly=?; aAge=?; cAge=14ms"

Is there a way to correctly parse multiple cookie values from a header, and if not, can Cookie.parse be modified to support this?

[stash-sfdc]

From RFC6265 section 3:

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field. The usual mechanism for folding HTTP headers fields (i.e., as defined in RFC2616) might change the semantics of the Set-Cookie header field because the %x2C (",") character is used by Set-Cookie in a way that conflicts with such folding.

So, I don't think we should modify Cookie.parse to support this.

[gajus]

What is the workaround for this?

[yvele]

What is the workaround for this?

@gajus did you find a workaround or an alternate library that parses cookies with the same name? See jshttp/cookie#60 (comment)

[information-security]

From RFC6265 section 3:

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field. The usual mechanism for folding HTTP headers fields (i.e., as defined in RFC2616) might change the semantics of the Set-Cookie header field because the %x2C (",") character is used by Set-Cookie in a way that conflicts with such folding.

So, I don't think we should modify Cookie.parse to support this.

What if one is going to parse cookie header of a request? It can validly contain multiple cookies.

[colincasey]

@information-security The Cookie specification explicitly states that there is a conflict between how HTTP header field folding uses the , character and how a , is interpreted in the Set-Cookie header for cookie parsing.

Therefore, when a request contains multiple cookies, the Set-Cookie header should never be folded into a single header, rather the request should contain multiple Set-Cookie headers which must be individually parsed.

[information-security]

@colincasey Set-Cookie is a response header while Cookie is a request header. When the browser sends a request to the server, it folds all the cookies separated by ; character in one header named cookie. i.e. CookieName1=Value1;CookieName2=Value2;. Either you got me wrong or I am misunderstanding some basic concepts here.
Given that, It would be great if Cookie.parse() could handle this use-case. Currently, I have to manually split the cookie string and call Cookie.parse() in a loop to get an array of cookies. But a parse(string): Cookie[]|Cookie function would be of great asset IMO.

[colincasey]

@information-security I did misunderstand you. Most of the discussion in this issue relates to parsing multiple cookies from the Set-Cookie header so I had that context in mind when I replied 😅

Your comment makes much more sense now. Could you open a new issue for your request?

[information-security]

Sorry for being late. Sure, I did (#410).