CookiePlugin adds multiple Cookie headers to the Request

[Maff-]

Q	A
Bug?	yes
New Feature?	no
Version	v1.4.0, and probably previous as well

Actual Behavior

When using the CookiePlugin with a CookieJar filled with multiple applicable Cookies, each will add a new Cookie: key=value header to the Request. Or maybe concatenate them, separated by a command , .

Expected Behavior

Only one Cookie header should be added to the request. Where key-value pair should be separated by ; .

RFC 6265 Section 5.4:

When the user agent generates an HTTP request, the user agent MUST
NOT attach more than one Cookie header field.

Steps to Reproduce

$cookieJar = new \Http\Message\CookieJar();
$cookieJar->addCookies([
    new \Http\Message\Cookie('foo', 'bar'),
    new \Http\Message\Cookie('cookie', 'oreo'),
]);

$plugin = new \Http\Client\Common\Plugin\CookiePlugin($cookieJar);

$request = new \GuzzleHttp\Psr7\Request('GET', 'http://127.0.0.1/');
$response = new \GuzzleHttp\Psr7\Response();

$noop = function(\GuzzleHttp\Psr7\Request $request) use($response) {
    var_dump($request->getHeaderLine('Cookie'));
    return new Http\Promise\FulfilledPromise($response);
};

$plugin->handleRequest($request, $noop, $noop);

// "foo=bar, cookie=oreo"

It's a little hard to demonstrate with only the client-common package, but when using the HttplugBundle one can easily see the problem when firing a request at httpbin/RequestBin

(I was using the Guzzle6 client btw)

Possible Solutions

I think the problem lies in the fact the Request::withAddedHeader('Cookie', ...) gets called multiple times, as can seen here.

The \GuzzleHttp\Psr7\Request object doesn't handle the Cookie header in any special way, so it won't join those lines the proper way.

I believe the CookieJar should join the cookie key-value pairs and only set the Cookie header once.

Some feedback would be welcome, as I'm not 100% sure where this issue should be resolved. (In this package, in guzzle/psr7 or the client(s))

---

If the route of fixing this package would be taken, you might also want to consider implementing step 2 mentioned in RFC 6265 Section 5.4:

2. The user agent SHOULD sort the cookie-list in the following
   order:

• Cookies with longer paths are listed before cookies with
  shorter paths.

• Among cookies that have equal-length path fields, cookies with
  earlier creation-times are listed before cookies with later
  creation-times.

[sagikazarmark]

LOL, this is even worse than the previous bug.

IMO the cookie jar should always have all cookies in it, so the cookie header should be overwritten, or should be configurable what to do.

[fbourigault]

Hello @Maff- thanks for the feedback. Could you open a PR with some failing tests and a fix if you have one?
Thanks

[Maff-]

@fbourigault I don't believe I've actually written a fix or test case.

To be honest I've stopped using the library quickly after discovering and reporting this bug. I already spent some time researching this and fixing another, and just wanted to get things done with the (hobby) project I was working on.