Cookie header values should be separated by semi-colon not comma.

[ManickaP]

RFC HTTP State Management Mechanism
Grammar:

   cookie-header = "Cookie:" OWS cookie-string OWS
   cookie-string = cookie-pair *( ";" SP cookie-pair )

We already properly concatenated within SocketsHttpHandler when we merge request headers with cookies from the container: https://github.com/dotnet/runtime/blob/master/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnection.cs#L247

We should do the same for all Cookie header values.

Repro:

var client = new HttpClient();
var message = new HttpRequestMessage(HttpMethod.Get, "http://localhost:5001");

// All of the Cookie header bellow will get concatenated with ','.
message.Headers.Add("Cookie", new [] {"test1=1","test2=2"});
message.Headers.Add("Cookie", "test3=3");
message.Headers.TryAddWithoutValidation("Cookie", new [] {"test4=4", "test5=5"});
message.Headers.TryAddWithoutValidation("Cookie", "test6=6");
var response = await client.SendAsync(message);

Wireshark snip:

Upon first look, adding a custom HttpHeaderParser overriding the separator and using it for Cookie in known header definitions: https://github.com/dotnet/runtime/blob/master/src/libraries/System.Net.Http/src/System/Net/Http/Headers/KnownHeaders.cs#L43 should do the trick.

Original issue: dotnet/yarp#437

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

[geoffkizer]

For historical reasons we have not added strongly-typed access to the Cookie property. I believe the thinking here is that we wanted users to use the automatic cookie management rather than trying to manage cookies themselves.

That said, I'm not sure that reason still holds up. So I'd be in favor of adding support for this.

[ManickaP]

I did a bit more digging to see what the results are when combined with cookies from CookieContainer and whether there are any differences between H/2 and H/1.

Updated repro:

var handler = new HttpClientHandler();
handler.CookieContainer.Add(new System.Net.Cookie("container_test1", "1", path: "/", domain: "localhost"));
handler.CookieContainer.Add(new System.Net.Cookie("container_test2", "2", path: "/", domain: "localhost"));
var client = new HttpClient(handler);
var message = new HttpRequestMessage(HttpMethod.Get, "http://localhost:5001");

message.Headers.Add("Cookie", new [] {"test1=1","test2=2"});
message.Headers.Add("Cookie", "test3=3");
message.Headers.TryAddWithoutValidation("Cookie", new [] {"test4=4", "test5=5"});
message.Headers.TryAddWithoutValidation("Cookie", "test6=6");
var response = await client.SendAsync(message);

HTTP 1.1 result:

Cookie: test4=4; container_test1=1; container_test2=2, test5=5, test6=6, test1=1, test2=2, test3=3\r\n
    Cookie pair: test4=4
    Cookie pair: container_test1=1
    Cookie pair: container_test2=2, test5=5, test6=6, test1=1, test2=2, test3=3

It writes the 0th cookie header value, then cookies from the container, and lastly the rest.

runtime/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnection.cs

Lines 243 to 248 in 2707771

	await WriteStringAsync(_headerValues[0], async, valueEncoding).ConfigureAwait(false);
	if (cookiesFromContainer != null && header.Key.KnownHeader == KnownHeaders.Cookie)
	{
	await WriteTwoBytesAsync((byte)';', (byte)' ', async).ConfigureAwait(false);
	await WriteStringAsync(cookiesFromContainer, async, valueEncoding).ConfigureAwait(false);

HTTP 2.0 result:

    Header: cookie: test4=4, test5=5, test6=6, test1=1, test2=2, test3=3
    Header: cookie: container_test1=1; container_test2=2

It writes separately cookies from the container and the rest.

runtime/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/Http2Connection.cs

Lines 1249 to 1252 in 2707771

	WriteBytes(KnownHeaders.Cookie.Http2EncodedName, ref headerBuffer);
	Encoding? cookieEncoding = _pool.Settings._requestHeaderEncodingSelector?.Invoke(KnownHeaders.Cookie.Name, request);
	WriteLiteralHeaderValue(cookiesFromContainer, cookieEncoding, ref headerBuffer);

[Tratcher]

https://www.rfc-editor.org/rfc/rfc6265.html#section-5.4

When the user agent generates an HTTP request, the user agent MUST
NOT attach more than one Cookie header field.

https://tools.ietf.org/html/rfc7540#section-8.1.2.5 (HTTP/2)

To allow for better compression efficiency, the Cookie header field
MAY be split into separate header fields, each with one or more
cookie-pairs. If there are multiple Cookie header fields after
decompression, these MUST be concatenated into a single octet string
using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ")
before being passed into a non-HTTP/2 context, such as an HTTP/1.1
connection, or a generic HTTP server application.

[karelz]

Triage: Only 1 report so far, moving to Future.