kit: can no longer return multiple `set-cookie` headers from endpoints

Describe the bug

In a recent update, probably #3384, the ability to return multiple set-cookie headers from an endpoint seems to have broken. Instead of returning multiple set-cookie headers, it returns just one with cookie values comma-separated (which browsers cannot interpret correctly).

Reproduction

This endpoint:

export function get() {
  return {
    headers: {
      'set-cookie': [
        'accesstoken=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=Strict',
        'refreshtoken=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=Strict',
      ]
    }
  }
}

produces the following headers:

set-cookie: accesstoken=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=Strict, refreshtoken=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=Strict

but it should produce:

set-cookie: accesstoken=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=Strict
set-cookie: refreshtoken=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=Strict

Logs

No response

System Info

System:
    OS: macOS 12.1
    CPU: (8) arm64 Apple M1
    Memory: 1.71 GB / 16.00 GB
    Shell: 3.2.57 - /bin/bash
  Binaries:
    Node: 17.4.0 - /opt/homebrew/bin/node
    npm: 8.3.1 - /opt/homebrew/bin/npm
  Browsers:
    Chrome: 97.0.4692.99
    Safari: 15.2
  npmPackages:
    @sveltejs/adapter-auto: next => 1.0.0-next.13 
    @sveltejs/kit: next => 1.0.0-next.235 
    svelte: ^3.44.0 => 3.46.2

Severity

blocking an upgrade

Additional Information

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 32 (17 by maintainers)

Commits related to this issue

Most upvoted comments

I think that might be because I forgot to add changesets for adapter-node/netlify, meaning they didn’t get rebuilt with the fix. Releasing new versions now

+3
Rich-Harris on Jan 24, 2022

I think the issue happened because you were using the spread operator ({ ...obj, foo: 1}) on the response object. Svelte kit currently uses Response objects to represent responses so using the spread operator on them may cause undesired behavior.

To solve the issue I’d recommend modifying the response headers as bellow:

	if (user || loggingOut) {
		response.headers.append("Set-Cookie", setCookieValue)
		response.headers.append("Set-Cookie", setJwtCookieValue)
		response.headers.append("Set-Cookie", setCompIdCookieValue)
	}
	return response
+2
JeanJPNM on Feb 11, 2022

Thank you @JeanJPNM! I appreciate you pointing this out.

@kamholz earlier said “that doesn’t work because of the issue with the Headers API.” though. So can we use multiple appends with headers?

Yes. You could use multiple appends.

version: 1.0.0-next.252

export async function handle({ event, resolve }) {
    const response = await resolve(event);

    response.headers.append('Set-Cookie', 'handleFoo=foo');
    response.headers.append('Set-Cookie', 'handleBar=bar; HttpOnly=true');

    return response;
}
+2
isaacfranco on Feb 1, 2022

No, that doesn’t work because of the issue with the Headers API. The linked Stack Overflow issue explains it.

+2
kamholz on Jan 20, 2022

After that fix multiple cookies works only in dev (npm run dev) or preview mode (npm run preview), but when I run it from build with node adapter (node build/index.js), then it is again just one long string with comma separated.

@sveltejs/kit”: “^1.0.0-next.240” “@sveltejs/adapter-node”: “^1.0.0-next.66” Node version 16.13.2

+1
chosecz on Jan 24, 2022
Read more comments on GitHub
← kit: Build process fails after attempting to prerender auth endpoints
kit: Cannot build with .node files and Vercel adapter →