http - Is it possible to set more than one cookie with a single Set-Cookie?

Question

One HTTP Set-Cookie directive can only hold one cookie, is it right? I mean, one single name=value pair?

Answer 1

The original cookie specification of Netscape (see this cached version) does not say anything about listing multiple cookie declarations.

But as of Set-Cookie as defined by RFC 2109 allows a comma separated list of cookie declaration:

Informally, the Set-Cookie response header comprises the token Set-Cookie:, followed by a comma-separated list of one or more cookies. Each cookie begins with a NAME=VALUE pair, followed by zero or more semi-colon-separated attribute-value pairs.

The same applies to Set-Cookie2 as defined by RFC 2965:

Informally, the Set-Cookie2 response header comprises the token Set-Cookie2:, followed by a comma-separated list of one or more cookies. Each cookie begins with a NAME=VALUE pair, followed by zero or more semi-colon-separated attribute-value pairs.

But since most user agents still follow Netscape’s original specification, I would rather suggest to just declare each cookie with its own Set-Cookie header field.

This is also what the latest RFC 6265 reflects:

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field. The usual mechanism for folding HTTP headers fields (i.e., as defined in [RFC2616]) might change the semantics of the Set-Cookie header field because the %x2C (",") character is used by Set-Cookie in a way that conflicts with such folding.