12.2 The Cookie Request Header

Each time a browser goes to a Web page, it checks its cookies file for any cookies stored for that URL. If there are any, the browser includes a Cookie header in the request containing the cookie's name=value pairs.

Cookie: name1=value1; name2=value2; . . .

Returned cookies may come from multiple entries in the cookies files, depending on path ranges and domain ranges. For instance, if two cookies from the same site are set with the following headers:

Set-Cookie: Gemstone=Diamond; path=/
Set-Cookie: Gemstone=Emerald; path=/caves

when the browser requests a page at the site in the /caves path, it will return

Cookie: Gemstone=Emerald; Gemstone=Diamond

Both items share the same name, but since they are separate cookies, they both apply to the particular URL in /caves. When returning cookies, the browser will return the most specific path or domain first, followed by less specific matches.

The preliminary cookies specification places some restrictions on the number and size of cookies:

• Clients should be able to support at least 300 total cookies. Servers should not expect a client to store more.

• The limit on the size of each cookie (name and value combined) should not exceed 4 kilobytes.

• A maximum of 20 cookies per server or domain is allowed. This limit applies to each specified server or domain, so www.ora.com is allowed 20, and software.ora.com is allowed 20, if they are each specified by their full names.

An issue arises with proxy servers in regard to the headers. Both the Set-Cookie and Cookie headers should be propagated through the proxy even if a page is cached or has not been modified (according to the If-Modified-Since condition). The Set-Cookie header should also never be cached by the proxy.