Marking it as internal for now. There is essentially a bug that went unnoticed since right now undertow does not allow cookies with the same name to exist - those are just ignored. This changes in https://issues.redhat.com/browse/UNDERTOW-2194

NOTE: 2194 aims to improve cookie handling, ie allow duplicate name with different path/domain, which is not possible right now in undertow
NOTE2: tomcat addCookie does not discriminate content, ie its possible to add exact copies of cookies which are than sorted properly on UA side. Undertow does not allow that and thats requirement for backward compatibility.

For now its set as "Major"

My preliminary assessment is that quoted value cookie parsing is flawed. So what happens"
1. Test value from CookiesTestCase.java#L206#testCommaSeparatedCookies "CUSTOMER=\"WILE_E_COYOTE\", SHIPPING=FEDEX"
2. Cookies.parseCookie properly gets K=CUSTOMER and recognized that value is quote.
3. at state =2 it goes into Cookies.java#L298 and change to state 3, with containsEscapedQuotes = false; inQuotes = true;
4. in state 3, depending on value of rfc6265ParsingDisabled reset inQuotes to false, but in case of test it does not and it leaks. Upon reaching ending ", it will dive into Cookies.java#L329. Which will create cookie CUSTOMER=WILE_E_COYOTE. Subsequently it will set state =0, which will trigger new round of discover.
5. Remaining cookie input: ", SHIPPING=FEDEX". One another respin, next cookie character is ',', which means cookie parsing will fall into state 1 and upon Cookies.java#L281 Since name is never reset and we got separator, it extracts another cookie, with empty value "". However, since Cookies#createCookie does not allow duplicates, its ignored.

Above is a bug, but its silently ignored, its not the case with 2194 applied.

flaviarnn ^^