From b18a1654c1cfa19269553977bf2dda41bcbf0fa7 Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Mon, 25 May 2015 17:27:53 -0400
Subject: [PATCH] CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain

Document that if Set-Cookie is used without a domain then the cookie is
sent for any domain and will not be modified.

Bug: http://curl.haxx.se/mail/lib-2015-05/0137.html
Reported-by: Alexander Dyagilev
---
 docs/libcurl/opts/CURLOPT_COOKIELIST.3 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/libcurl/opts/CURLOPT_COOKIELIST.3 b/docs/libcurl/opts/CURLOPT_COOKIELIST.3
index 630cf8932..1058936c7 100644
--- a/docs/libcurl/opts/CURLOPT_COOKIELIST.3
+++ b/docs/libcurl/opts/CURLOPT_COOKIELIST.3
@@ -36,6 +36,13 @@ Such a cookie can be either a single line in Netscape / Mozilla format or just
 regular HTTP-style header (Set-Cookie: ...) format. This will also enable the
 cookie engine. This adds that single cookie to the internal cookie store.
 
+If you use the Set-Cookie format and don't specify a domain then the cookie
+is sent for any domain and will not be modified. If a server sets a cookie of
+the same name (or maybe you've imported one) then both will be sent on a future
+transfer to that server, likely not what you intended. Either set a domain in
+Set-Cookie (doing that will include sub domains) or use the Netscape format as
+shown in EXAMPLE.
+
 Additionally, there are commands available that perform actions if you pass in
 these exact strings:
 .IP ALL