fix: server side Set-Cookie always set an array. #367

sullivanpt · 2019-06-02T22:36:46Z

Explanation. nodejs expects setHeader('Set-Cookie', value) to be
an array. If given a string it will accept and properly send it.
However, any subsequent attempts to replace the string with an array
to send multiple Set-Cookie headers will fail; it will instead send a
single Set-Cookie header with a concatenated array. The client will only
parse the first cookie, and then you'll spend hours pulling your
hair out.

Example:

res.SetHeader('Set-Cookie', 'serialized cookie')
res.SetHeader('Set-Cookie', ['serialized cookie','another cookie'])

generates

Set-Cookie: serialized cookie,another cookie

when what you want is

Set-Cookie: serialized cookie
Set-Cookie: another cookie

Explanation. nodejs expects setHeader('Set-Cookie', value) to be an array. If given a string it will accept and properly send it. However, any subsequent attempts to replace the string with an array to send multiple Set-Cookie headers will fail; it will instead send a single Set-Cookie header with a concatenated array. The client will only parse the first cookie, and then you'll spend hours pulling your hair out. Example: res.SetHeader('Set-Cookie', 'serialized cookie') res.SetHeader('Set-Cookie', ['serialized cookie','another cookie']) generates Set-Cookie: serialized cookie,another cookie when what you want is Set-Cookie: serialized cookie Set-Cookie: another cookie

pi0 · 2019-06-03T08:07:03Z

Hi @sullivanpt & thanks for digging in. About adding headers, actually, this is the same implementation for Express [append] (which is also used for res.cookie) so I'm wondering if this problem applies for all express users as well!

But at least rfc6265 confirms this:

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into
a single header field. The usual mechanism for folding HTTP headers
fields (i.e., as defined in [RFC2616]) might change the semantics of
the Set-Cookie header field because the %x2C (",") character is used
by Set-Cookie in a way that conflicts with such folding.

sullivanpt · 2019-06-03T16:43:54Z

Thanks for the quick response and merge.

Regarding the express implementation, yes, I was sure I'd seen this implementation before which is why it took me so long to suspect that block of code. Then I stumbled across this person complaining of a similar cookie problem just using express and I was like "oh! I get it now...". http://www.connecto.io/blog/nodejs-express-how-to-set-multiple-cookies-in-the-same-response-object/

There's one more bug in this module that I'm struggling to find the correct fix for: when switching providers it fails to switch properly if the new provider has an expired token and the userinfo reload on provider switch fails. I'll make a PR if I can figure something intelligent out.

But overall I love this module. it makes OAuth trivial. Love it! Thanks a million

simplify logic

f4835f4

pi0 merged commit 4d3feff into nuxt-community:dev Jun 3, 2019

sullivanpt deleted the fix-server-set-cookie-array branch June 3, 2019 16:44

Yama-Tomo mentioned this pull request Jun 5, 2019

fix: set-cookie header contains undefined value #372

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: server side Set-Cookie always set an array. #367

fix: server side Set-Cookie always set an array. #367

sullivanpt commented Jun 2, 2019

pi0 commented Jun 3, 2019

sullivanpt commented Jun 3, 2019

fix: server side Set-Cookie always set an array. #367

fix: server side Set-Cookie always set an array. #367

Conversation

sullivanpt commented Jun 2, 2019

pi0 commented Jun 3, 2019

sullivanpt commented Jun 3, 2019