From: Rich Bowen <rbowen@apache.org>
Date: Wed, 29 Apr 2026 19:50:05 +0000 (+0000)
Subject: mod_headers: Note that Set-Cookie is an exception to comma-separated append per RFC... 
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2834611d6149dd1ec56f5d4bce770fc94b29a74f;p=thirdparty%2Fapache%2Fhttpd.git

mod_headers: Note that Set-Cookie is an exception to comma-separated append per RFC 6265 (Bug 62213)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933534 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_headers.xml b/docs/manual/mod/mod_headers.xml
index 26540c1007..d0a75fb6bd 100644
--- a/docs/manual/mod/mod_headers.xml
+++ b/docs/manual/mod/mod_headers.xml
@@ -358,6 +358,10 @@ available in 2.4.10 and later</compatibility>
     the same name. When a new value is merged onto an existing
     header it is separated from the existing header with a comma.
     This is the HTTP standard way of giving a header multiple values.
+    Note that the <code>Set-Cookie</code> header is an exception:
+    <rfc>6265</rfc> requires multiple <code>Set-Cookie</code> headers
+    rather than combining values with commas. Use <code>add</code>
+    instead of <code>append</code> for <code>Set-Cookie</code>.
     <br/><br/><p>Choosing a <var>condition</var>: If the existing header to be appended to was added by this module, you must match the condition
     parameter that was originally used. Otherwise, you must determine by trial
     and error whether <code>always</code> should be specified because you can't