How to set multiple "Set-Cookie" protocol headers for HTTP responses

[nanji886]

Use nng_http_res_add_header to set multiple "Set-cookie" protocol headers, which will merge multiple cookies into a single "Set-Cookie" protocol header, so that the browser can only parse a single cookie, not multiple cookies.

[nanji886]

Give examples:

#include <nng/nng.h>
#include <nng/supplemental/http/http.h>

void set_response_cookies(nng_http_res* response) {
nng_http_res_add_header(response, "Set-Cookie", "userid=12345;");
nng_http_res_add_header(response, "Set-Cookie", "sessionid=abcdef;");
nng_http_res_add_header(response, "Set-Cookie", "userrole=admin; Path=/; HttpOnly");
}

The response header we expect to get looks like this：-----
Set-Cookie: userid=12345;
Set-Cookie: sessionid=abcdef;
Set-Cookie: userrole=admin; Path=/; HttpOnly

Instead, you now get a response header formatted like this：----
Set-Cookie: userid=12345;, sessionid=abcdef;, userrole=admin; Path=/; HttpOnly

[gdamore]

In fact, according to the HTTP 1/1 specification, the combining that is done is legal and expected. See RFC 2616 4.2, which says:

Multiple message-header fields with the same field-name MAY be
present in a message if and only if the entire field-value for that
header field is defined as a comma-separated list [i.e., #(values)].
It MUST be possible to combine the multiple header fields into one
"field-name: field-value" pair, without changing the semantics of the
message, by appending each subsequent field-value to the first, each
separated by a comma. The order in which header fields with the same
field-name are received is therefore significant to the
interpretation of the combined field value, and thus a proxy MUST NOT
change the order of these field values when a message is forwarded.

If your browser does not understand the combination of the headers, then it's a bug in the browser. I'm not aware of any that suffer from this defect.

[nanji886]

Boss, you are right, but in real life scenarios there are problems that can't be recognised.
For example, I'm using NNG to develop a HTTP(s) reverse proxy, the original server returns multiple ‘Set-Cookies’, and the intermediate proxy automatically merges them into one. This way Google Chrome recognises only one ‘Cookie’.

Below I've combined 3 screenshots and uploaded them:
Figure 1: The original server returns multiple ‘Set-Cookies’.
Figure 2: The intermediary proxy merges the ‘Set-Cookie’.
Figure 3: Google Chrome requested again and sent only 1 ‘Cookie’.

[nanji886]

To add to this, I asked chartGPT today, and chartGPT replied : ‘Multiple Set-Cookies in the HTTP response header cannot be merged into a single one, or else browsers get confused when parsing them.’
Suggest the boss consider fixing this.