Each time a browser goes to a Web page, it checks its cookies file for any cookies stored for that URL. If there are any, the browser includes a Cookie header in the request containing the cookie's name=value pairs.
Cookie: name1=value1; name2=value2; . . .
Returned cookies may come from multiple entries in the cookies files, depending on path ranges and domain ranges. For instance, if two cookies from the same site are set with the following headers:
Set-Cookie: Gemstone=Diamond; path=/ Set-Cookie: Gemstone=Emerald; path=/caves
when the browser requests a page at the site in the /caves path, it will return
Cookie: Gemstone=Emerald; Gemstone=Diamond
Both items share the same name, but since they are separate cookies, they both apply to the particular URL in /caves. When returning cookies, the browser will return the most specific path or domain first, followed by less specific matches.
The preliminary cookies specification places some restrictions on the number and size of cookies:
An issue arises with proxy servers in regard to the headers. Both the Set-Cookie and Cookie headers should be propagated through the proxy even if a page is cached or has not been modified (according to the If-Modified-Since condition). The Set-Cookie header should also never be cached by the proxy.