ssl cookies header http-headers setcookie

Is this a valid Set-Cookie syntax

I find a Set-Cookie header which I need to know if it is valid syntax or not.

SessionId=ccc; path=/; HttpOnly, Secure; HttpOnly

My questions mainly are:

1) Is it valid to use comma before the directive Secure?

2) Is the directive Secure always preceded by a cookie value in the form of x=y? I mean the order. Can the directive Secure comes before the equation? or without equation?

I am at loss and either the above header is misconfigured or I am wrong. From my understanding of the Set-Cookie header syntax in Mozilla site here the directive Secure should always be preceded by a semicolon, then space, as in: ; Secure after the word Secure, there can be either a semicolon ; or it is the end of line. Please, clearify, I need accurate answer to write a regexp.

Solution

In this RFC document you will find detailed information on the grammar set cookie: https://www.rfc-editor.org/rfc/rfc6265#page-8

AWS EC2 Spring Boot Deployment - SSL/HTTPS Error after Configuring Route 53, ACM, and GoDaddy
Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
Implicitly trust SSL certificates in iOS app for private API
Protecting against MitM (https) seeing password with encryption using included pub. key in iOS/Android app
Docker not able to pull images behind proxy TLS handshake timeout
HTTP to HTTPS Nginx too many redirects
curl error 60 while downloading https://repo.packagist.org Certificate issue on Ubuntu?
nginx the "ssl" directive is deprecated, use the "listen ... ssl"
How to install OpenSSL in windows 10?
How to enable TLS for Redis 6 on Sidekiq?
SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Can't send client certificate via SslStream
How to secure multiple wildcard domain names in single SSL certificate?
cURL error 60: SSL certificate problem: certificate has expired
Importing SSL Certificate into Eclipse
WARN: Establishing SSL connection without server's identity verification is not recommended
How to connect an ESP32 to MQTT server with public IP and SSL?
SSL Localhost Privacy error
Load CA root certificate at runtime in Java
CertPathValidatorException : Trust anchor for certificate path not found - Retrofit Android
CURL showing "No required SSL certificate was sent" eve
How to know which TLS version is being used by gRPC?
Securing grafana ingress with tls in kube-prometheus-stack values.yaml and make grafana available via https
MariaDB update causes client connection problem : mariadb.OperationalError: TLS/SSL error: SSL is required, but the server does not support it
HTTPS connections to cloudfront / S3 using godaddy domain
SSL Self-Signed Certificates Issue in Gitlab
Composer Curl error 60: SSL certificate problem: unable to get local issuer certificate
Nginx keeps showing "welcome to nginx" for https but it's working fine with http
PostgreSQL `aws_s3` Extension: SSL Certificate Verification Failed with Self-Signed Certificate
SSLmode in FireDac for connection to Postgres