Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: SetCookie is creating invalid headers #29804

Rickgrendel opened this issue Jan 18, 2019 · 4 comments

net/http: SetCookie is creating invalid headers #29804

Rickgrendel opened this issue Jan 18, 2019 · 4 comments


Copy link

@Rickgrendel Rickgrendel commented Jan 18, 2019

What version of Go are you using (go version)?

$ go version
go version go1.11.2 windows/amd64

Does this issue reproduce with the latest release?


What operating system and processor architecture are you using (go env)?

go env Output
$ go env
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\Rick\AppData\Local\go-build
set GOEXE=.exe
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOOS=windows
set GOPATH=C:\Users\Rick\Documents\projects\cerebral\
set GOROOT=C:\Go
set GOTOOLDIR=C:\Go\pkg\tool\windows_amd64
set GCCGO=gccgo
set CC=gcc
set CXX=g++
set GOMOD=
set CGO_CFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\Rick\AppData\Local\Temp\go-build507667558=/tmp/go-build -gno-record-gcc-switches

What did you do?

Create a secure cookie with (wich from their side works) and create a cookie with http.setcookie()

var hashKey = []byte("testkey") //for testing purpopes
var blockKey = []byte(securecookie.GenerateRandomKey(32))

var s = securecookie.New(hashKey, blockKey)
  if encoded, err := s.Encode("cookie-name", value); err == nil {
    cookie := &http.Cookie{
      Name:     "cookie-name",
      Value:    encoded,
      Path:     "/",
      Secure:   true,
      HttpOnly: true,

    http.SetCookie(*w, cookie) // w = *http.ResponseWriter


What did you expect to see?

In my REST client for testing I expected to see a valid Set-Cookie header but the header is written as setcookie and the Secure and HttpOnly flags are missing.

What did you see instead?

setcookie:cookiename=MTU0NzczNTM0N3xGOTJYUUw5TFNXZHI2dU9jT3hCeTZUTE5TaTBFNU1XN1F 5WGMzb3c1dGZRUENEU2xPZHFwTXJQLW8zND18_VCYxNVRbIAUrs9_8EcGpTUEiqVyYL_2M5Olbjhnkeg =; Path=/

An invalid cookie header created by http.setcookie()

@bradfitz bradfitz changed the title net/http: http.setcookie is creating invalid headers net/http: SetCookie is creating invalid headers Jan 18, 2019
Copy link

@bradfitz bradfitz commented Jan 18, 2019

Can you write an example that doesn't use third-party packages? (that is, how do we know this isn't a bug in securecookie or in your code connecting the two?)

And what part of the output do you think is invalid? We could figure it out, but it helps if you're more explicit in bug reports.

@bradfitz bradfitz added this to the Go1.13 milestone Jan 18, 2019
Copy link

@Rickgrendel Rickgrendel commented Jan 24, 2019

Okay, this is the code without third-party packages. Still the same result.

cookie := &http.Cookie{
  Name:     "cookie-name",
  Value:    "Hello World!",
  Path:     "/",
  Secure:   true,
  HttpOnly: true,

http.SetCookie(*w, cookie) // w = *http.ResponseWriter

The part that is invalid is that the header for the cookie is setcookie instead of Set-Cookie. Google Chrome doesn't even see the header.

Copy link

@bradfitz bradfitz commented Jan 24, 2019

@Rickgrendel, the string "setcookie" (in any case) does not appear in the Go source tree, so not sure why you think you see that.

I certainly don't see that:

We use Set-Cookie (see etc)

Copy link

@gopherbot gopherbot commented Mar 1, 2019

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)

@gopherbot gopherbot closed this Mar 1, 2019
@golang golang locked and limited conversation to collaborators Feb 29, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants