Multiple Set-Cookie headers in response #23
Description
Here is small example:
package main
import (
"net/http"
"github.com/alexedwards/scs"
)
var sessionManager = scs.NewCookieManager("u46IpCV9y5Vlur8YvODJEhgOY8m9JVE4")
func main() {
mux := http.NewServeMux()
mux.HandleFunc("/auth", login)
http.ListenAndServe(":4000", sessionManager.Use(mux))
}
func login(w http.ResponseWriter, r *http.Request) {
session := sessionManager.Load(r)
// authenticate user ...
err := session.RenewToken(w)
if err != nil {
http.Error(w, err.Error(), 500)
return
}
if err := session.PutInt(w, "userId", 1); err != nil {
http.Error(w, err.Error(), 500)
return
}
if err := session.PutBool(w, "isAdmin", true); err != nil {
http.Error(w, err.Error(), 500)
return
}
}Here is /auth response:
HTTP/1.1 200 OK
Set-Cookie: session=rXoTm-uiZM8eYszKWKTbUP-D-SBV0Pdx8DyMpX7jL55yVcOwRxLROJSeDHeuW0iYifwVpUnEiXyhU_H-Vl-1-2LpnjHnOvx1TS1yYuoccQP6P56iEXyCzngQRt_UkHGG5Wva5-0; Path=/; HttpOnly
Set-Cookie: session=6HjYzvYsALD_UvkBNlrheCKijlQDAAd2rMsWN_URq7uO12n2ng2t-7PYSmHSV8l3n0TKtb6_y0-DKuc--uikxCBJ-NuvR0a91vj7dauPu_TMrCGtfa1cOgLpr1R2MhTCDt4qUNwmBNEblJrViAiW; Path=/; HttpOnly
Set-Cookie: session=ewJmYE3psbCYtX39Zgj-Utv5XTjCJ5SfbsO32daXPyOovU0y0O2OPQtv6QlL9Zv-yZ-XJuYqPvkZQ5tt_tjLqtpKdvohTOLAjLp7XO9yfVjV5rgtC6hG5b9W0Hb_8shOUdZdKZdM936IEAbaRkltlDOEYqBSbFcXoZIjJUKs; Path=/; HttpOnly
Date: Thu, 26 Oct 2017 09:08:01 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8As you can see there are three different Set-Cookie headers with the same cookie-name in response which is wrong according to RFC 6265:
Servers SHOULD NOT include more than one Set-Cookie header field in
the same response with the same cookie-name.