Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Multiple 'Set-Cookie' headers in one response

See original GitHub issue

Is it possible to have multiple ‘Set-Cookie’ headers in one response? As is known there are two ways to set cookies header in the response: - Having separated headers - Folding into 1 header and using comma separated

The later way however is deprecated in (RFC6265)[http://www.rfc-editor.org/rfc/rfc6265.txt] and not supported by some latest browsers.

   Origin servers SHOULD NOT fold multiple Set-Cookie header fields into
   a single header field.  The usual mechanism for folding HTTP headers
   fields (i.e., as defined in [RFC2616]) might change the semantics of
   the Set-Cookie header field because the %x2C (",") character is used
   by Set-Cookie in a way that conflicts with such folding.

So that below can be valid:

responses:
   200:
   description: "Response with content"
   headers:
       Set-Cookie:
           type: String
           description: "eg. key1=value1"
       Set-Cookie:
           type: String
           description: "eg. key2=value2"

Issue Analytics

State:
Created 6 years ago
Reactions:8
Comments:15 (5 by maintainers)

Top GitHub Comments

44reactions

mikejavcommented, Sep 24, 2018

I got rid of this problem with this one simple trick:

just surround the next same header by quotation marks and add null char at the beginning.

headers:
  Set-Cookie:
    description: Session cookie
    schema:
      type: string
      example: SESSIONID=abcde12345; Path=/
  "\0Set-Cookie":
    description: CSRF token
    schema:
      type: string
      example: CSRFTOKEN=fghijk678910; Path=/; HttpOnly

result: result