CD
Cloudflare Developers•2mo ago
TravisFrank

Multiple Set-Cookie headers folded into one header

In the documentation (https://developers.cloudflare.com/workers/runtime-apis/headers/), it says that "the Headers.append method will allow you to set multiple Set-Cookie response headers instead of appending the value onto the existing header." However, the following code produces a single concatenated Set-Cookie header when sent to the client: const headers = new Headers(); headers.append('Set-Cookie', 'cookie1=1;'); headers.append('Set-Cookie', 'cookie2=2;'); return new Response(null, headers); getAll works properly in the Workers environment, but entries shows only a single Set-Cookie header. On the client, only a single header, like so: Set-Cookie: cookie1=1;, cookie2=2; This behavior breaks from spec and the docs and prevents me from setting multiple cookies on a single request. Browsers do not properly interpret a single Set-Cookie header. Is this a bug? Or am I missing something? How can I have multiple Set-Cookie headers on my response?
8 Replies
Chaika
Chaika•2mo ago
return new Response(null, headers);
that's not going to work since new Response second parameter wants a RequestInit, not headers This workers fine for me in a deployed worker though: 
            const headersNew = new Headers();
        headersNew.append("Set-Cookie", "cookie1=value_for_cookie_1; Path=/; HttpOnly;");
        headersNew.append("Set-Cookie", "cookie2=value_for_cookie_2; Path=/; HttpOnly;");
        return new Response(null, { headers: headersNew});
            const headersNew = new Headers();
        headersNew.append("Set-Cookie", "cookie1=value_for_cookie_1; Path=/; HttpOnly;");
        headersNew.append("Set-Cookie", "cookie2=value_for_cookie_2; Path=/; HttpOnly;");
        return new Response(null, { headers: headersNew});
No description
Chaika
Chaika•2mo ago
If you're testing in the Workers playground or dashboard quick edit it looks like it makes it visually append, but they don't in the actual response headers
TravisFrank
TravisFrank•2mo ago
Ah, my mistake, I have { headers } in my code and it doesn't work Even stranger behavior: it's working fine in Safari but not in Firefox or Chrome.
Chaika
Chaika•2mo ago
on a deployed worker? Could you share the test endpoint? iirc some web browsers do support multi-cookie sets in a single header but it's weird/not fully supported, might explain some of the behavior
TravisFrank
TravisFrank•2mo ago
I tried this in the playground and deployed that worker, it works fine. But I deployed my worker and the bug persists even after deployment. Going to expose a route that doesn't require auth to access for you to see Aha, debugged! Turns out this was an issue with itty-router's corsify I'll try the latest and if that doesn't work I'll take it up with @Kevin W - Itty 😉
Kevin
Kevin•2mo ago
I know we’re already chatting about this in itty.dev Discord, but we are talking about the corsify from v5 cors() not v4 createCors() right?
TravisFrank
TravisFrank•2mo ago
Yes, I bumped to 5.0.5 to see if that would fix it but it persists
Kevin
Kevin•2mo ago
See output here... https://discord.com/channels/832353585802903572/1224742032610955364 We have a test setup at both: https://tests.itty.dev/raw-cors (no itty, just creates a raw response and returns it) https://tests.itty.dev/autorouter-cors (AutoRouter with cors()) ...and both appear to work flawlessly (and identically) in Chrome.
Want results from more Discord servers?
Add your server
More Posts
Cloudflare Tunnel routing through wrong locationsI have a tunnel that I use as an alternative to opening ports on my local network, however, there isRegister DomainHi. I cant pay for new .com domain. I can't figure out what could be the problem. The bank side saysCloudflare icons and stencils for diagramming.Do we have an open source repository with Cloudflare-specific icons?"Pro" plan, but can't see the Caching page.Hi there, I've subscribed to the "Pro" plan, but it seems I don't have access to the "Caching - Ovecan you provide an url for mp3?can you provide an url for mp3?Downloading data before building pages (SSG/SSR)I have the use case that I'm experimenting building a Cloudflare Pages project using Astro. It willJust the domain is neededJust the domain is neededRequest failed with status code 408 (Request Timeout)Failed upload sourcemap for [dist/assets/SecondaryButton-e.js.map]: Request failed with status code opened a PR to allow native web_sysopened a PR to allow native web_sys request, without having to ditch the event macro: https://githubVPN tunnel warp 1.1.1.1 problemI need help ! I can't activate my VPN. When I want to activate it, the following words appear: Your