HTTP 中的多个 Set-cookie 标头
我正在编写一个小类,充当非常基本的 HTTP 客户端。作为我正在进行的项目的一部分,我正在使其具有 cookie 意识。但是,我不清楚当我的客户端收到多个具有相同密钥但设置了不同值的“Set-Cookie”标头时会发生什么。
例如,
Set-Cookie: PHPSESSID=abc; path=/
Set-Cookie: PHPSESSID=def; path=/
Set-Cookie: PHPSESSID=ghi; path=/
其中哪一项应该是 PHPSESSID 的值?当您在同一页面上调用 session_start() 然后调用 session_regenerate_id() 时,通常会发生这种情况。每个都会设置自己的标题。所有浏览器似乎都可以处理这个问题,但我似乎无法让我的客户选择正确的浏览器。
有什么想法吗?
I'm writing a small class that acts as a very basic HTTP client. As part of a project I'm working on, I'm making it cookie aware. However, it's unclear to me what happens when my client receives multiple "Set-Cookie" headers with the same key but different values are set.
For example,
Set-Cookie: PHPSESSID=abc; path=/
Set-Cookie: PHPSESSID=def; path=/
Set-Cookie: PHPSESSID=ghi; path=/
Which one of these is supposed to be the value for PHPSESSID? This usually ends up happening when you call session_start() and then session_regenerate_id() on the same page. Each will set its own header. All browsers seem to do okay with this, but I can't seem to get my client to pick the right one out.
Any ideas?!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
RFC 6265 第 4.1.2 节 指出:
因此,我会按给定的顺序处理标头,并在存在重复项时覆盖它们。因此,在您的情况下,您将只有一个 PHPSESSID=ghi。
RFC 6265 section 4.1.2 states:
So I would process the headers in order given and overwrite them if there is a duplicate. So in your case you would have just one PHPSESSID=ghi.
RFC 6265 指出:
因此,如果您的服务使用相同的密钥发送多个 Set-Cookie 标头,我会非常担心。特别是因为我看到用户代理和代理的行为出乎意料 - 有时采用第一个标头的值,有时重新排列标头。
作为客户端,典型的用户代理行为似乎是获取最后一个标头的值。 RFC 通过以下声明暗示了这种行为:
RFC 6265 states:
I would therefore be very concerned if your service sends multiple Set-Cookie headers with the same key. Especially because I have seen user agents and proxies behave unexpectedly - sometimes taking the value of the first header, sometimes rearranging headers.
As a client, the typical user agent behavior seems to be to take the value of the last header. The RFC alludes to that behavior with this statement: