Hey Alessio, Well, that's a good question. I guess the first thing to notice is that JBEAP-11442 refers to "optional support for RFC6265" in Undertow, so there's nothing being forced on us. There are 25 Resteasy JIRAs that mention cookies. 1. A lot of these are old and I've ignored them. 2. There are a few issues closed by me, Jim, and Rebecca that are bug fixes, and, as such, I don't think they can cause any problems, since they would just, if anything, bring us closer to correct implementation of the spec (but see below). 3. And then there's RESTEASY-1516 "Cookies sent by resteasy-client are not spec compliant" (open) and the related RESTEASY-1266 "Fix cookie processing" (closed). I started to get ambitious in RESTEASY-1266 and then just did a bug fix and closed it. That leaves RESTEASY-1516, for which I created https://github.com/jax-rs/api/issues/554 "Clarify documentation ambiguities", which refers to https://github.com/jax-rs/api/issues/435 "Update Cookie and NewCookie to RFC 6265". There doesn't seem to be any reaction to either of them. The problem is that the JAX-RS spec (specifically javax.ws.rs.core.Cookie and javax.ws.rs.core.NewCookie) refer to IETF RFC 2109, which is now obsolete. It seems to me that the Expert Group should at least do something like what Undertow is doing, by making the Cookie spec configurable. Until then, I guess the most we could do is add an option to configure which Cookie spec to use, taking advantage of what they've done in Undertow. I don't have any sense of how useful that would be. -Ron On 08/17/2017 02:37 AM, Alessio Soldano wrote: -- My company's smarter than your company (unless you work for Red Hat)