Skip to content

multiple Set-Cookie headers issue #1192

Description

@jdnurmi

see fix in #1191 - ran into this trying to run auth0/nextjs-auth on a lambda and went down a long rabbit hole of discovery, repeating here just so you have the issue to track

Problem

Terminal-return middleware responses with multiple Set-Cookie headers get folded into a single comma-joined value. The browser receives one corrupt cookie; multi-cookie sessions are dropped.

Triggered by any auth library that chunks a large session across multiple cookies (e.g. @auth0/nextjs-auth0 v4 sets appSession.0/1/2 on the /auth/callback redirect). The session never persists; the callback returns a 500 with no app logs.
Root cause

Headers.forEach folds same-name headers per the WHATWG spec. Both harvest sites accumulate set-cookie through forEach:

responseHeaders.forEach((value, key) => {
if (key.toLowerCase() === "set-cookie") {
resHeaders[key] = resHeaders[key] ? [...resHeaders[key], value] : [value];
}
});

When folding occurs, value is already "appSession.0=…, appSession.1=…, appSession.2=…" — one string. Result: one corrupt Set-Cookie entry instead of three.

Affected:

core/routing/middleware.ts (~L127) — terminal-return and rewrite paths
adapters/edge-adapter.ts (~L48)

getSetCookie() is not called anywhere in the codebase prior to this PR.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions