I need to understand the format of HTTP cookie when used with secure and httponly flags.
By looking at Mozilla explanations, there is this example:
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly
If I have multiple cookies, do they need multiple set-cookie and secure and httponly flags? Or is it written once? Please, clarify to me.
Yes, they need multiple Set-Cookie with Secure and HttpOnly flags, such as:
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly
Set-Cookie: foo=Hello; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly
Set-Cookie: bar=World; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly
According to RFC6265, which defines Cookie and Set-Cookie header in HTTP:
Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field.