Set-Cookie header in Glassfish-5: folding several cookies in one header not working on Firefox (https + HTTP/2.0)
I noticed that Glassfish-5 web server sends responses with only one
Set-Cookie header, which contains several cookies. When I looking with firebug, I can see that they are separated by unknown character. Anyway - the Firefox reads only the first cookie. How to configure Glassfish5 to send several Set-Cookie headers - one for each cookie? rfc6265 states that:
Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field. The usual mechanism for folding HTTP headers fields (i.e., as defined in [RFC2616]) might change the semantics of the Set-Cookie header field because the %x2C (",") character is used by Set-Cookie in a way that conflicts with such folding.
Also here it is stated:
When sending an HTTP Response with multiple cookies, CFHTTPMessage combines the cookies into a comma-separated list under a single "Set-Cookie" HTTP header. (This is referred to as "set-cookie-folding".)
Set-cookie-folding is NOT supported on Google Chrome, Firefox, and Internet Explorer. Each of those browsers will completely ignore every cookie after the first comma, rendering CFHTTPMessage completely useless for handling HTTP responses with multiple cookies in any browser other than Safari (which supports cookie-folding).
I've noticed that this happens only on HTTPS connections.
Also, I've opened an issue on Github here.
Glassfish 5 uses Grizzly Framework 2.4.0 - I think sources available in grizzly-http-servlet-2.4.0-sources.jar - but can not find a code piece where the cookies are joined together in one line..
I can confirm now that it is related only to HTTP/2.0 protocol, tested on firefox by enabling/disabling
about:config. On HTTP/1.1 via HTTPS cookies are set as expected.