-
Notifications
You must be signed in to change notification settings - Fork 27.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[NEXT-735] Using headers.append twice with the Set-Cookie header only adds a single header #46579
Comments
Even when doing it manually, it only sets one header:
gives
They are being serialised with a comma, instead of adding two separate headers. It might be a bug in the Fetch api (see https://www.ryadel.com/en/fetch-api-bug-get-set-multiple-set-cookie-headers/) |
Just ran into this too, following |
Related to vercel/edge-runtime#283 |
Apparently there's been a fix for this that's merged into canary, but still getting the same issue. Even on localhost. |
@dillonraphael Could you share the link of the pull request that's supposed to fix this you are referring to? |
In middleware setting 2 cookies works as it should, but in app/route, it sets only the first value |
IMO Fetch API not to be blamed here, this must be very specific to Next API Routes implementation (or whatever underlying http rendering mechanism that it's using). It all seems like API Routes do not handle an easy-to-miss edge case that is specific to Writing all this to ping that issue still exists in today's canary, and it hurts. |
## What This fix serves to address issues where multiple `Set-Cookie` headers were combined in some runtimes. ## Why This is because `set-cookie` behaves differently than other headers in some cases. Eg. when iterating on a `Headers` instance, multiple set-cookie headers are folded. To set them correctly, we need to split them. But it'd not be enough to naively split on the first occurrence, because `,` is a valid cookie value when for example it's used in `Expires` in a date string. So we use a method to correctly detect where to split the cookie. This should fix all runtimes. Note, the spec now has `Headers#getSetCookie` which should be preferred if it's present. whatwg/fetch#1346. We are using the [`edge-runtime`](https://github.com/vercel/edge-runtime), so this should be fixed upstream and then reused in Next.js in the future. ## How Wherever we can, we reuse the `fromNodeHeaders` and `toNodeHeaders` methods that have the correct implementation. This should be preferred in the future in other parts of the codebase. We fixed some related TS issues as well. Fixes #46579, supersedes #40579 fix NEXT-735 ([link](https://linear.app/vercel/issue/NEXT-735)) --------- Co-authored-by: Balázs Orbán <[email protected]>
This closed issue has been automatically locked because it had no new activity for a month. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you. |
Verify canary release
Provide environment information
Which area(s) of Next.js are affected? (leave empty if unsure)
Middleware / Edge (API routes, runtime)
Link to the code that reproduces this issue
https://codesandbox.io/p/sandbox/mystifying-babbage-ruhtyx?file=%2Fpages%2Fapi%2Ftest.ts
To Reproduce
Visit
/api/test
with devtools open to observe the cookies sent with the request.Describe the Bug
Only a single Set-Cookie header is sent and only a single cookie is set:
Expected Behavior
Two Set-Cookie headers should be added, as the fetch standard specifies.
This issue is very similar to #38302; @balazsorban44 asked that I open this issue to track this separate reproduction!
Which browser are you using? (if relevant)
No response
How are you deploying your application? (if relevant)
No response
NEXT-735
The text was updated successfully, but these errors were encountered: