nextauthjs · balazsorban44 · Sep 29, 2023 · Sep 18, 2023 · Sep 19, 2023 · Sep 27, 2023
diff --git a/packages/next-auth/src/lib/index.ts b/packages/next-auth/src/lib/index.ts
@@ -139,8 +139,7 @@ export function initAuth(config: NextAuthConfig) {
       } = (await authResponse.json()) ?? {}
 
       // Preserve cookies set by Auth.js Core
-      const cookies = authResponse.headers.get("set-cookie")
-      if (cookies) response?.setHeader("set-cookie", cookies)
+      cloneSetCookie({ from: authResponse, to: response })
 
       return { user, expires, ...rest } satisfies Session
     })
@@ -202,14 +201,34 @@ async function handleAuth(
     }
   }
 
-  // Preserve cookies set by Auth.js Core
   const finalResponse = new Response(response?.body, response)
-  const authCookies = sessionResponse.headers.get("set-cookie")
-  if (authCookies) finalResponse.headers.set("set-cookie", authCookies)
+  // Preserve cookies set by Auth.js Core
+  cloneSetCookie({ from: sessionResponse, to: finalResponse })
 
   return finalResponse
 }
 
+/**
+ * Mutates `to` with the set-cookie from `from`
+ * Uses `getSetCookie` if available, otherwise falls back to `set-cookie`
+ *
+ * getSetCookie is missing from the types, but it's available on many platforms.
+ */
+function cloneSetCookie({ from, to }: { from: Response; to: Response }) {
+  const authCookies =
+    "getSetCookie" in from.headers
+      ? (from.headers.getSetCookie as any)()
+      : from.headers.get("set-cookie")
+
+  if (!authCookies) return
+
+  if (Array.isArray(authCookies)) {
+    authCookies.forEach((cookie) => to.headers.append("set-cookie", cookie))
+  } else {
+    to.headers.set("set-cookie", authCookies)
+  }
+}
+
 /** Check if the request is for a NextAuth.js action. */
 function isNextAuthAction(
   req: NextRequest,