search

vercel / next.js

The React Framework
https://nextjs.org
MIT License
125.96k stars 26.87k forks source link

multi set-cookie merged into one header when cookie name is same #64698

Open yeliex opened 6 months ago

yeliex commented 6 months ago

Link to the code that reproduces this issue

https://github.com/yeliex/stackblitz-starters-kfmrzz

To Reproduce

yarn
yarn dev

then open ${host}/api/test, open dev-tools or read terminal output, you would find set-cookie headers.

Current vs. Expected behavior

Expected

set-cookie: session=1713406956812; Path=/; Domain=.example1.com; Secure; HttpOnly; SameSite=none
set-cookie: session=1713406956812; Path=/; Domain=.example2.com; Secure; HttpOnly; SameSite=none

Current

## server response
set-cookie: session=1713406956812; Path=/; Domain=.example1.com; Secure; HttpOnly; SameSite=none, session=1713406956812; Path=/; Domain=.example2.com; Secure; HttpOnly; SameSite=none

## dev-tools response header
Set-Cookie: session=1713407480483; Path=/; Domain=.example2.com; Secure; HttpOnly; SameSite=none

Provide environment information

Operating System:
  Platform: linux
  Arch: x64
  Version: #1 SMP PREEMPT_DYNAMIC Sun Aug  6 20:05:33 UTC 2023
  Available memory (MB): 4102
  Available CPU cores: 2
Binaries:
  Node: 20.12.0
  npm: 10.5.0
  Yarn: 1.22.19
  pnpm: 8.15.6
Relevant Packages:
  next: 14.3.0-canary.9 // Latest available version is detected (14.3.0-canary.9).
  eslint-config-next: N/A
  react: 18.2.0
  react-dom: 18.2.0
  typescript: 5.2.2
Next.js Config:
  output: N/A

Which area(s) are affected? (Select all that apply)

Not sure

Which stage(s) are affected? (Select all that apply)

next dev (local), Other (Deployed)

Additional context

when set multi cookie with same name, it would merged into one set-cookie header, then when response to client, only the last one remains

dnpg commented 2 months ago

I had this same issue implementing Authentication with an example found in a popular youtube video. Then I had undesired results in the server where the session was never deleted as there were 2 session set-cookie added.

Based on https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1

"The portions of the set-cookie-string produced by the cookie-av term are known as attributes. To maximize compatibility with user agents, servers SHOULD NOT produce two attributes with the same name in the same set-cookie-string. (See Section 5.3 for how user agents handle this case.)"

Nextjs shouldn't combine or return multiple cookies with the same value. They should be overwritten before sending it back in the response.