see fix in #1191 - ran into this trying to run auth0/nextjs-auth on a lambda and went down a long rabbit hole of discovery, repeating here just so you have the issue to track
Problem
Terminal-return middleware responses with multiple Set-Cookie headers get folded into a single comma-joined value. The browser receives one corrupt cookie; multi-cookie sessions are dropped.
Triggered by any auth library that chunks a large session across multiple cookies (e.g. @auth0/nextjs-auth0 v4 sets appSession.0/1/2 on the /auth/callback redirect). The session never persists; the callback returns a 500 with no app logs.
Root cause
Headers.forEach folds same-name headers per the WHATWG spec. Both harvest sites accumulate set-cookie through forEach:
responseHeaders.forEach((value, key) => {
if (key.toLowerCase() === "set-cookie") {
resHeaders[key] = resHeaders[key] ? [...resHeaders[key], value] : [value];
}
});
When folding occurs, value is already "appSession.0=…, appSession.1=…, appSession.2=…" — one string. Result: one corrupt Set-Cookie entry instead of three.
Affected:
core/routing/middleware.ts (~L127) — terminal-return and rewrite paths
adapters/edge-adapter.ts (~L48)
getSetCookie() is not called anywhere in the codebase prior to this PR.
see fix in #1191 - ran into this trying to run auth0/nextjs-auth on a lambda and went down a long rabbit hole of discovery, repeating here just so you have the issue to track
Problem
Terminal-return middleware responses with multiple Set-Cookie headers get folded into a single comma-joined value. The browser receives one corrupt cookie; multi-cookie sessions are dropped.
Triggered by any auth library that chunks a large session across multiple cookies (e.g. @auth0/nextjs-auth0 v4 sets appSession.0/1/2 on the /auth/callback redirect). The session never persists; the callback returns a 500 with no app logs.
Root cause
Headers.forEach folds same-name headers per the WHATWG spec. Both harvest sites accumulate set-cookie through forEach:
responseHeaders.forEach((value, key) => {
if (key.toLowerCase() === "set-cookie") {
resHeaders[key] = resHeaders[key] ? [...resHeaders[key], value] : [value];
}
});
When folding occurs, value is already "appSession.0=…, appSession.1=…, appSession.2=…" — one string. Result: one corrupt Set-Cookie entry instead of three.
Affected:
getSetCookie() is not called anywhere in the codebase prior to this PR.