Cloudflare Pages - bad Set-Cookie concatenation

tilosag · June 23, 2023, 2:06pm

My Nuxt application behind Cloudflare Pages sends out multiple set-cookie headers. All of them get concatenated with a comma “,” which prevents users from logging in. This is incorrect behaviour due to RFC 6265 prohibiting folding multiple Set-Cookie headers into a single header.
See https://developers.cloudflare.com/workers/platform/headers/ for more information.

The issue affected CDN/Cache in the past and has resurfaced for Pages. Here’s link to the old incident: https://www.cloudflarestatus.com/incidents/30ptcb3b0s2w and the thread https://community.cloudflare.com/t/prevent-cloudflare-from-automatically-folding-set-cookie-headers/304876.

WalshyMVP · June 23, 2023, 2:10pm

You’re setting these in a Function I assume?

tilosag · June 23, 2023, 2:36pm

Yes. The Nuxt framework is setting them for me. The solution is to use .appendHeader(..) does not work. The set-cookie headers get concatenated anyway.

    setCookieHeaders.forEach(header => {
      event.node.res.appendHeader('Set-Cookie', header);
    })

The node.res is ServerResponse instance from nodejs.

The awkward bit is that the issue does not manifest itself during development. Even tho I use node 20 in there and in Cloudflare.