Both RFC 2109 (which JAX-RS follows despite not being implemented by anyone) and RFC 6265 (which documents and specify how cookies actually work on the web) allow multiple cookies per Cookie header, separated by ;.

RFC 2109 makes it a bit harder to parse those as it allows $Version, $Path and $Domain to be sent along with the name-value pair, but still.

Jersey has it right: https://github.com/jersey/jersey/blob/e3d0c1b14eccf108262279f3f15ffbe8514a322d/core-common/src/main/java/org/glassfish/jersey/message/internal/CookiesParser.java#L73

Resteasy on the other hand will only parse a single name-value pair per Cookie header, the last one, ignoring all other cookies in the header.

Add to that the reliance of JAX-RS on RFC 2109 and you have something unusable in practice.