Multiple Set-Cookie headers in CPPRESTSDK

Description

    void add(const key_type& name, const _t1& value)
    {
        if (has(name))
        {
            m_headers[name] =  m_headers[name].append(_XPLATSTR(", ") + utility::conversions::print_string(value));
        }
        else
        {
            m_headers[name] = utility::conversions::print_string(value);
        }
    }

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into
   a single header field.  The usual mechanism for folding HTTP headers
   fields (i.e., as defined in [RFC2616]) might change the semantics of
   the Set-Cookie header field because the %x2C (",") character is used
   by Set-Cookie in a way that conflicts with such folding.

Contributor guide

Tech stack

cpp

Domain

backendapi

Issue type

bug

DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.

2

Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.

1-3 hours

Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.

stale

ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.

clear

Prerequisites

Basic C++ knowledgeUnderstanding of HTTP headers

Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.

70

Research direction

Review the `web::http::http header::add` method in the cpprestsdk codebase (likely in `cpprest/http headers.h` or similar). The current implementation folds all header values with a comma. According to RFC 6265, Set Cookie headers must not be combined. Implement a special case for Set Cookie to add a new header line instead of appending. Test that multiple Set Cookie headers are sent separately in the HTTP response. Ensure no regression for other headers.