Multiple Cookie headers incorrectly concatenated with comma instead of semicolon

[andyquinterom]

When multiple Cookie headers are present in an HTTP request, they are concatenated with a comma (,) separator instead of the correct semicolon-space ("; ") separator required by RFC 6265.

Example:

Cookie: session=abc123
Cookie: user=john

Current behavior:

HTTP_COOKIE = "session=abc123,user=john"

Expected behavior:

HTTP_COOKIE = "session=abc123; user=john"

[andyquinterom]

If we run

library(httpuv)

s <- startServer(host = "0.0.0.0", port = 8080,
  app = list(
    call = function(req) {
      print(req$HTTP_COOKIE)
      body <- paste0("Time: ", Sys.time(), "<br>Path requested: ", req$PATH_INFO)
      list(
        status = 200L,
        headers = list('Content-Type' = 'text/html'),
        body = body
      )
    }
  )
)

and send the following request

curl -H "Cookie: cookie1=value1" -H "Cookie: cookie2=value2" http://localhost:8080

We can see the following output

[1] "cookie1=value1,cookie2=value2"