net/http: SetCookie is creating invalid headers

[Rickgrendel]

What version of Go are you using (go version)?

$ go version
go version go1.11.2 windows/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\Rick\AppData\Local\go-build
set GOEXE=.exe
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOOS=windows
set GOPATH=C:\Users\Rick\Documents\projects\cerebral\
set GOPROXY=
set GORACE=
set GOROOT=C:\Go
set GOTMPDIR=
set GOTOOLDIR=C:\Go\pkg\tool\windows_amd64
set GCCGO=gccgo
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\Rick\AppData\Local\Temp\go-build507667558=/tmp/go-build -gno-record-gcc-switches

What did you do?

Create a secure cookie with github.com/gorilla/securecookie (wich from their side works) and create a cookie with http.setcookie()

var hashKey = []byte("testkey") //for testing purpopes
var blockKey = []byte(securecookie.GenerateRandomKey(32))

var s = securecookie.New(hashKey, blockKey)
  if encoded, err := s.Encode("cookie-name", value); err == nil {
    cookie := &http.Cookie{
      Name:     "cookie-name",
      Value:    encoded,
      Path:     "/",
      Secure:   true,
      HttpOnly: true,
    }

    http.SetCookie(*w, cookie) // w = *http.ResponseWriter

...

What did you expect to see?

In my REST client for testing I expected to see a valid Set-Cookie header but the header is written as setcookie and the Secure and HttpOnly flags are missing.

What did you see instead?

setcookie:cookiename=MTU0NzczNTM0N3xGOTJYUUw5TFNXZHI2dU9jT3hCeTZUTE5TaTBFNU1XN1F 5WGMzb3c1dGZRUENEU2xPZHFwTXJQLW8zND18_VCYxNVRbIAUrs9_8EcGpTUEiqVyYL_2M5Olbjhnkeg =; Path=/

An invalid cookie header created by http.setcookie()

[bradfitz]

Can you write an example that doesn't use third-party packages? (that is, how do we know this isn't a bug in securecookie or in your code connecting the two?)

And what part of the output do you think is invalid? We could figure it out, but it helps if you're more explicit in bug reports.

[Rickgrendel]

Okay, this is the code without third-party packages. Still the same result.

cookie := &http.Cookie{
  Name:     "cookie-name",
  Value:    "Hello World!",
  Path:     "/",
  Secure:   true,
  HttpOnly: true,
}

http.SetCookie(*w, cookie) // w = *http.ResponseWriter

The part that is invalid is that the header for the cookie is setcookie instead of Set-Cookie. Google Chrome doesn't even see the header.

[bradfitz]

@Rickgrendel, the string "setcookie" (in any case) does not appear in the Go source tree, so not sure why you think you see that.

I certainly don't see that: https://play.golang.org/p/G2J_7TnSA9n

We use Set-Cookie (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie etc)