Hi

While debugging an authentication issue with a rest api i discovered that the current implementation is not spec compliant in two ways:

1) Client sends back too much data to the server

When executing a simple client request with a Cookie like this:

ClientBuilder.newClient().target("http://localhost:8080").request().cookie(new Cookie("myCookieName", "myCookieValue", "/mypath", "mydomain")).get(String.class);

The http header sent to the server is:

Cookie: myCookieName=myCookieValue; Domain=mydomain; Path=/mypath

From my reading of the spec, it should only send:

Cookie: myCookieName=myCookieValue

The header is generated by CookieHeaderDelegate which is probably also used in other parts of the system so I don't have a quickfix.

2) Multiple cookies are sent as separate headers

ClientBuilder.newClient().target("http://localhost:8080").request().cookie(new Cookie("firstCookieName", "firstCookieValue", "/firstCookiepath", "firstCookieDomain")).cookie(new Cookie("secondCookieName", "secondCookieValue", "/secondCookiepath", "secondCookieDomain")).get(String.class);

Generated headers:
Cookie: firstCookieName=firstCookieValue; Domain=firstCookieDomain; Path=/firstCookiepath
Cookie: secondCookieName=secondCookieValue; Domain=secondCookieDomain; Path=/secondCookiepath

Expected header:

Cookie: firstCookieName=firstCookieValue; secondCookieName=secondCookieValue

The specification states:

When the user agent generates an HTTP request, the user agent MUST NOT attach more than one Cookie header field.

The above examples are simplified, I found the issue after a couple of days of debugging an authentication issue where a NewCookie from a response was sent directly back in a request.

The header is generated by CookieHeaderDelegate which is probably also used in other parts of the system so I don't have a quickfix.