Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Calling cookies.set twice sets only one value #283

Closed
raphaelbadia opened this issue Mar 14, 2023 · 2 comments
Closed

Calling cookies.set twice sets only one value #283

raphaelbadia opened this issue Mar 14, 2023 · 2 comments

Comments

@raphaelbadia
Copy link

Bug Report

Current behavior

Calling "cookies.set" twice on an appdir api route will set only one cookie.
221156616-6833d576-2687-43b2-9a13-74ca513f6c15

Expected behavior/code

You'll see one "Set-Cookie" with 2 values, however it should be instead 2 "Set-Cookie" with only one value.
Set-Cookie can be repeated as many time as needed in an HTTP response to set multiple cookies.

Possible solution

This comment explains that .append() shouldn't be used in response-cookies.ts

Additional context/screenshots

I opened this issue in Next.js, it has been closed but I see that the file wasn't modifier in the edge-runtime source code so I think it's better to open it here !
@raphaelbadia raphaelbadia mentioned this issue Mar 14, 2023
Closed
1 task
@bpossolo
Copy link

im seeing the same problem on NextJS 13.2.4 in a route.ts in my app folder
using NextResponse.cookies.set() to set multiple cookies yields a single Set-Cookie http response header...

const response = NextResponse.redirect(location, 303);
response.cookies.set({
  name: ACCESS_TOKEN,
  value: result.accessToken,
  path: '/',
  secure,
  expires: result.expiresOn ? result.expiresOn : undefined,
});
response.cookies.set({
  name: ACCOUNT_ID,
  value: result.account.homeAccountId,
  path: '/',
  secure,
  expires: expiration('years', 1),
});
return response;

set-cookie: access-token=mytokenvalue; Path=/; Expires=Mon, 27 Mar 2023 04:38:03 GMT, account-id=1c12dd32-abcd-4e0a-9d21-5b480b806b06-b2c_1a_passwordless-authentication.abcdedf-1136-40a6-a376-123456789; Path=/; Expires=Tue, 26 Mar 2024 04:44:43 GMT

from the spec:

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field. The usual mechanism for folding HTTP headers fields (i.e., as defined in [RFC2616]) might change the semantics of the Set-Cookie header field because the %x2C (",") character is used by Set-Cookie in a way that conflicts with such folding.

comma is used in the Expires attribute value

@Kikobeats
Copy link
Member

Kikobeats commented Jul 17, 2023
edited

I'm not seeing this issue at Next.js v13.4.10:

import { NextResponse } from 'next/server'

export const config = { runtime: 'edge' }

export default req => {
  const response = new NextResponse()

  response.cookies
    .set('cookie1', 'cookie1')
    .set('cookie2', 'cookie2')

  return response
}

That produces the following headers:

$ curl -i http://localhost:3000/api
HTTP/1.1 200 OK
set-cookie: cookie1=cookie1; Path=/
set-cookie: cookie2=cookie2; Path=/
date: Mon, 17 Jul 2023 15:49:55 GMT
connection: close
transfer-encoding: chunked

Closing for now; Happy to reopen if you can provide a reproducing of the issue using the latest version 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bpossolo @raphaelbadia @Kikobeats