Yar doesn't handle the session cookie multiple times correctly.

[SimonSchick]

Apparently https://github.com/hapijs/yar/blob/master/lib/index.js#L85 request.state[settings.name] can be an array, not just an object, yar should probably handle that.

I am not sure what yar should do, probably revoke the cookie(s) as it's technically invalid or just use the first valid one.

I know this isn't exactly intended behaviour but this came up when a colleague was debugging some of our endpoints with postman which for whatever reason duplicated cookies.

[SimonSchick]

cc @crashdoom

[SimonSchick]

That didn't take long 😄

[lock[bot]]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.