diff --git a/lib/cookie.c b/lib/cookie.c
index 92f7935cca..1516d38f5b 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -461,6 +461,13 @@ parse_cookie_header(struct Curl_easy *data,
         sep = TRUE; /* a '=' was used */
         if(!curlx_str_cspn(&ptr, &val, ";\r\n"))
           curlx_str_trimblanks(&val);
+
+        /* Reject cookies with a TAB inside the value */
+        if(curlx_strlen(&val) &&
+           memchr(curlx_str(&val), '\t', curlx_strlen(&val))) {
+          infof(data, "cookie contains TAB, dropping");
+          return CURLE_OK;
+        }
       }
       else
         curlx_str_init(&val);
@@ -489,13 +496,6 @@ parse_cookie_header(struct Curl_easy *data,
           return CURLE_OK;
         }
 
-        /* Reject cookies with a TAB inside the value */
-        if(curlx_strlen(&val) &&
-           memchr(curlx_str(&val), '\t', curlx_strlen(&val))) {
-          infof(data, "cookie contains TAB, dropping");
-          return CURLE_OK;
-        }
-
         /* Check if we have a reserved prefix set. */
         if(!strncmp("__Secure-", curlx_str(&name), 9))
           co->prefix_secure = TRUE;
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
index c080c32133..78e3f26585 100644
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -225,7 +225,7 @@ test1666 test1667 test1668 \
 \
 test1670 test1671 test1672 test1673 \
 \
-test1680 test1681 test1682 test1683 test1684 \
+test1680 test1681 test1682 test1683 test1684 test1685 \
 \
 test1700 test1701 test1702 test1703 test1704 test1705 test1706 test1707 \
 test1708 test1709 test1710 test1711 test1712 test1713 test1714 test1715 \
diff --git a/tests/data/test1685 b/tests/data/test1685
new file mode 100644
index 0000000000..b98dc20643
--- /dev/null
+++ b/tests/data/test1685
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+HTTP
+cookies
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data crlf="headers">
+HTTP/1.0 200 OK swsclose
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Content-Type: text/html
+Set-Cookie: name=content; path=/we%TABwant
+Set-Cookie: accept=this; path=/only/this
+
+boo
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+HTTP, reject cookie with tab in path
+</name>
+<command>
+http://%HOSTIP:%HTTPPORT/ -c %LOGDIR/jar%TESTNUMBER.txt
+</command>
+
+<features>
+cookies
+</features>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="headers">
+GET / HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+<file name="%LOGDIR/jar%TESTNUMBER.txt" mode="text">
+# Netscape HTTP Cookie File
+# https://curl.se/docs/http-cookies.html
+# This file was generated by libcurl! Edit at your own risk.
+
+127.0.0.1%TABFALSE%TAB/only/this%TABFALSE%TAB0%TABaccept%TABthis
+</file>
+</verify>
+</testcase>