Is calling HttpServletResponse.addCookie(); (from servlet-api-2.5) multiple times using a cookie with the same name

Question

0

Asked: May 15, 20262026-05-15T14:09:52+00:00 2026-05-15T14:09:52+00:00

Is calling HttpServletResponse.addCookie(); (from servlet-api-2.5) multiple times using a cookie with the same name

0

Is calling

HttpServletResponse.addCookie();

(from servlet-api-2.5) multiple times using a cookie with the same name safe?

Safe in the sense of that there is a deterministic behavior, e.g. the subsequent calls will be ignored (the first wins) or the subsequent calls will always replace the cookie or something like that?

Example:

HttpServletResponse response = ...;
response.addCookie(new Cookie("foo", "bar"));
response.addCookie(new Cookie("foo", "42"));

Which value will be transferred to and stored by the browser?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-15T14:09:52+00:00

Updated answer – as the comments from @skaffman and @Stephen C show this is not ideal practice.

The RFC Spec at http://www.ietf.org/rfc/rfc2109.txt states

The NAME=VALUE attribute-value pair
must come first in each cookie. If an attribute appears
more than once in a cookie, the
behavior is undefined.

On Tomcat server, the behaviour is the actual headers sent to the browser:

Set-Cookie: foo=bar
Set-Cookie: foo=42

Here foo gets overwritten. Reading the cookie later gives you 42.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Is calling HttpServletResponse.addCookie(); (from servlet-api-2.5) multiple times using a cookie with the same name

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply