Skip to content

fix: Allow multiple unmerged set-cookie headers. #1570

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
retrohacker merged 2 commits into from
Feb 9, 2018
Merged

fix: Allow multiple unmerged set-cookie headers. #1570

retrohacker merged 2 commits into from
Feb 9, 2018

Conversation

@lrowe
Copy link
Contributor

@lrowe lrowe commented Nov 21, 2017

Pre-Submission Checklist

  • Opened an issue discussing these changes before opening the PR
  • Ran the linter and tests via make prepush
  • Included comprehensive and convincing tests for changes

Issues

Closes:

Changes

Fixes the fix for #779 to allow multiple set-cookie headers. The RFC only disallows these headers from being merged into a single header, it does not disallow multiple headers.

@DonutEspresso
Copy link
Member

DonutEspresso commented Nov 22, 2017
edited
Loading

Thanks for the PR! Oddly, this is the exact opposite of #779, but appears to have the desired behavior. Wonder if something in Node core changed where it knows about how to set multiple headers for certain headers (like cookies), rather than universally transforming multiple values into a comma delimited string.

Maybe @yunong can remember how the original issue was manifesting?

@lrowe
Copy link
Contributor Author

lrowe commented Nov 22, 2017

It looks like @yunong was wanting to avoid set-cookie headers being merged into a single header (as this is not valid per RFC.) Maybe this is something Restify did at one point? It looks like Node has supported Arrays for multiple header lines back to Sep 2010 nodejs/node-v0.x-archive@6560ab9 yet I see recent bugs like nodejs/node#3591 reporting that header merging is happening.

I've run this test script back to v0.10.48 and see an appropriate response with two separate Set-Cookie headers.

"use strict";

var http = require('http');
var port = 3000;

function requestHandler(request, response) {
  console.log(request.url);
  response.setHeader("Set-Cookie", ["a=1", "b=2"]);
  response.end('Hello Node.js Server!');
}

var server = http.createServer(requestHandler);

server.listen(port, function (err) {
  if (err) {
    return console.log('something bad happened', err);
  }

  console.log('server is listening on ' + port);
})

retrohacker
retrohacker approved these changes Nov 27, 2017
View reviewed changes
Copy link
Contributor

@retrohacker retrohacker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lrowe has extensively tested this across many versions of Node and it gives the desired behaviour. We have a test case in place to catch a regression from Node core if one happens.

If there are cases where Node core collapses Set-Cookie values into a comma separated list we can add a separate test for that in the future.

@lrowe lrowe force-pushed the allow-multiple-set-cookie branch from ba7b78b to 393fc3c Compare November 27, 2017 20:30
@DonutEspresso
Copy link
Member

DonutEspresso commented Dec 14, 2017

LGTM

@retrohacker retrohacker merged commit df04015 into restify:master Feb 9, 2018
@dependabot-preview dependabot-preview bot mentioned this pull request Mar 21, 2018
Closed
This was referenced Apr 9, 2018
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@retrohacker retrohacker retrohacker approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lrowe @DonutEspresso @retrohacker