Set multiple cookies in Apache

Asked 17/5, 2013 at 0:34 Answered 11/6, 2014 at 14:4

I'm trying to set two cookies in Apache (2.2), using mod_header, like so:

Header set Set-Cookie "poodle=noodle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"
Header set Set-Cookie "tweedle=puddle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"

But only the last cookie is being sent to the browser. I've done some searching, but only found people having this problem with no solution. I've tried combining them into one:

Header set Set-Cookie "poodle=noodle;tweedle=puddle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"

Same problem. Do I need to use "Header append" instead? Any examples would be appreciated.

Cockerham answered 17/5, 2013 at 0:34 Comment(0)

I would use mod_rewrite with the cookie flag the syntax is:

 [CO=NAME:VALUE:DOMAIN:lifetime:path:secure:httponly]

So you want something similar to:

RewriteEngine On
RewriteRule .* -  [CO=poodle:noodle:example.com:0:/:true:true]
RewriteRule .* -  [CO=tweedle:puddle:example.com:0:/:true:true]

Dump answered 17/5, 2013 at 3:38 Comment(1)

Works great, thanks. I never noticed the [CO] section of the docs for mod_rewrite until now. – Cockerham 21/5, 2013 at 20:30

According to the Apache manual http://httpd.apache.org/docs/current/mod/mod_headers.html#header you should use append:

Header append Set-Cookie "poodle=noodle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"
Header append Set-Cookie "tweedle=puddle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"

or according to HTTP use comma to separate multiple values:

Header append Set-Cookie "poodle=noodle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT, tweedle=puddle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"

or use Header add if you want avoid comma separated cookies in one header to follow suggestions in RFC 6265 section 3 (as noted by @SteveC):

Header add Set-Cookie "poodle=noodle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"
Header add Set-Cookie "tweedle=puddle;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"

Dysphasia answered 11/6, 2014 at 14:4 Comment(7)

Do you hardcode the expires date on your Set-Cookie entry? How do you get that to be dynamic? – Epiglottis 10/4, 2015 at 20:5

you can use max-age attribute (tools.ietf.org/html/rfc6265) with seconds, or you do some math with the request time ... but i do not kow how. – Dysphasia 14/4, 2015 at 7:30

max-age doesn't work with IE11 or earlier: mrcoles.com/blog/cookies-max-age-vs-expires/ – Epiglottis 14/4, 2015 at 19:40

By the way, I asked how to set the expires dynamically in the Set-Cookie entry here: https://mcmap.net/q/1030547/-apache-how-to-use-quot-header-set-set-cookie-expires-lt-date-gt-quot-dynamically/1601989 – Epiglottis 14/4, 2015 at 21:40

You cannot use Header append Set-Cookie because this will just append the cookie value to any existing Set-Cookie header with a comma. This is forbidden by RFC6265. – Quittor 29/5, 2017 at 7:4

@SteveC, it is only "should not" and not forbidden - if your referring to section 3 of RFC6265, but you can use "Header add" instead of "append" for Set-Cookie – Dysphasia 9/6, 2017 at 9:51

Header add worked for me but the first two ways didn't work – Vertievertiginous 1/2, 2021 at 10:0

Recommended topics

Hot tags