Open Radar

 
Summary:
When sending an HTTP Response with multiple cookies, CFHTTPMessage combines the cookies into a comma-separated list under a single "Set-Cookie" HTTP header. (This is referred to as "set-cookie-folding".)

Set-cookie-folding is NOT supported on Google Chrome, Firefox, and Internet Explorer. Each of those browsers will completely ignore every cookie after the first comma, rendering CFHTTPMessage completely useless for handling HTTP responses with multiple cookies in any browser other than Safari (which supports cookie-folding). 

CFHTTPMessage.c (which is open source) references RFC 2965. However, that specification has been obsoleted by RFC 6265. The most recent specification does not formally forbid Set-Cookie folding. However, because it unsupported on the majority of web browsers, CFHTTPMessage should be modified to send a single cookie per "Set-Cookie:" header. 

This can be done performantly in the function "_CFHTTPMessageCopySerializedHeaders(CFHTTPMessageRef msg, Boolean forProxy)" on line 693 of CFHTTPMessage.c. That function should be modified to include one "Set-Cookie" header for each cookie added to the CFHTTPMessage.

Note: Set-Cookie-Folding can introduce a security vulnerability, which may be why other browser vendors have elected to not support it. For details, see: http://miki.it/blog/2013/9/15/xsrf-cookie-setting-google/

Steps to Reproduce:
N/A -- simply create an CFHTTPMessage with multiple cookies.

Expected Results:
CFHTTPMessage must use a "Set-Cookie" header for EACH cookie rather than combining cookies into a comma-separated list under a single "Set-Cookie" header. This is compatible with all web browsers.

Actual Results:
CFHTTPMessage combines cookies into a comma-separated list under a single "Set-Cookie" header. This causes Google Chrome, Firefox and Internet Explorer to discard all cookies except the first. 

Version:
Xcode Version 5.0.1 (5A2034a). Mac OS X Version 10.9.1, Build 13B42

Notes:


Configuration:
N/A -- happens on all configurations