Description
https://www.rfc-editor.org/rfc/rfc6265.html#section-5.4 (COOKIE)
When the user agent generates an HTTP request, the user agent MUST
NOT attach more than one Cookie header field.
https://tools.ietf.org/html/rfc7540#section-8.1.2.5 (HTTP/2)
To allow for better compression efficiency, the Cookie header field
MAY be split into separate header fields, each with one or more
cookie-pairs. If there are multiple Cookie header fields after
decompression, these MUST be concatenated into a single octet string
using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ")
before being passed into a non-HTTP/2 context, such as an HTTP/1.1
connection, or a generic HTTP server application.
I don't know if Kestrel properly accounts for this, we'd have to check. I don't see anything in the HPACK decoder or Kestrel to special case Cookies.
Edit: The client in the reported YARP scenario is Chrome using HTTP/2, so this is almost certainly something we should then a fix in Kestrel.
This hasn't come up before in common AspNetCore scenarios because the cookie parser is tolerant of multiple cookie headers and people don't usually look at the cookie header directly.