From 7eee2880b24d66ea664fee8b9575257da1a2b8dd Mon Sep 17 00:00:00 2001
From: Dave L <dave@angrysam.com>
Date: Tue, 12 Mar 2024 10:02:09 -0700
Subject: [PATCH] Add exception for set-cookie headers to always append

---
 system/web/context/RequestContext.cfc | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/system/web/context/RequestContext.cfc b/system/web/context/RequestContext.cfc
index 71b5d094e..cb1c27bb2 100644
--- a/system/web/context/RequestContext.cfc
+++ b/system/web/context/RequestContext.cfc
@@ -1803,9 +1803,16 @@ component serializable="false" accessors="true" {
 		}
 		// Name Exists and not already set.
 		else if ( !isNull( arguments.name ) ) {
-			getPageContext()
-				.getResponse()
-				.setHeader( javacast( "string", arguments.name ), javacast( "string", arguments.value ) );
+
+			var response = getPageContext().getResponse();
+						
+			// special exception for Set-Cookie. We always append this header, instead of overwriting
+ 			if ( arguments.name == "Set-Cookie" ) {
+				response.addHeader( javacast( "string", arguments.name ), javacast( "string", arguments.value ) );
+			} else {
+				response.setHeader( javacast( "string", arguments.name ), javacast( "string", arguments.value ) );
+			}
+				
 			variables.responseHeaders[ arguments.name ] = arguments.value;
 		} else {
 			throw(