Prevent Cloudflare from automatically folding set-cookie headers

General
1

In Chrome 93.0.4577.82, I’m seeing some weirdness when setting cookies since Cloudflare folds all set-cookie headers into one.

Here’s an example of the set cookie header when folded:

set-cookie: test=1; Path=/; Expires=Tue, 13 Sep 2022 22:21:21 GMT; Secure; SameSite=None, test2=2; Path=/; Expires=Tue, 13 Sep 2022 22:21:21 GMT; Secure; SameSite=None, test3=3; Path=/; Expires=Tue, 13 Sep 2022 22:21:21 GMT; HttpOnly; Secure; SameSite=None

test should not be HTTPOnly in this case, but it ends up being set to HTTPOnly, possibly because test3 is set to HTTPOnly.

You can test this locally (I used PHP while testing) and you’ll see that only the test cookie gets set (and set to HTTPOnly), and nothing else.

My fix ended up being to set the most restrictive cookies first, and then set the least restrictive after.

Is there any way to prevent Cloudflare from folding all of the cookies into one header?

I believe this is the source of the problem since I could not recreate this locally since headers were not being folded in that case – it was an issue unique to Cloudflare due to the folding of the headers.

Per RFC 6265, origin servers should not fold multiple Set-Cookie header fields into a single header field.

2 Likes
2

Could you share the output from these two commands:

curl https://example.com/ --dump-header - -o /dev/null --silent  | grep -i set-cookie

curl https://example.com/ --connect-to ::Your-Origin-IP-HERE --dump-header - -o /dev/null --silent  | grep -i set-cookie

Replace the placeholders, and sanitise the output as needed.

1 Like
3

Output from first command:

set-cookie: test=foo; Path=/; Expires=Tue, 13 Sep 2022 23:37:06 GMT; HttpOnly; Secure; SameSite=None, test2=bar; Path=/; Expires=Tue, 13 Sep 2022 23:37:06 GMT; Secure; SameSite=None, test3=abc; Path=/; Expires=Tue, 13 Sep 2022 23:37:06 GMT; Secure; SameSite=None

Output from second command:

set-cookie: test=foo; Path=/; Expires=Tue, 13 Sep 2022 23:39:08 GMT; HttpOnly; Secure; SameSite=None
set-cookie: test2=bar; Path=/; Expires=Tue, 13 Sep 2022 23:39:08 GMT; Secure; SameSite=None
set-cookie: test3=abc; Path=/; Expires=Tue, 13 Sep 2022 23:39:08 GMT; Secure; SameSite=None
4

Encountered the same problem, have a great impact on our service,
hope this problem can be fixed soon

5

We are running an applicated called keycloak whose traffic is proxied via Cloudflare. Starting today we found that users on Chromium based products (Chrome, Edge etc) were unable to login, this did not effect Firefox and Safari users. We managed to track this down to what we think is Cloudflare mangling the set-cookie response to chrome, i have listed two example payloads when cloudflare is on vs off. When on the cookies are not set and the application fails

set-cookie: AUTH_SESSION_ID=d637d240-500b-49e3-8691-74b53d98c8f5.ae2d4b6f8713; Version=1; Path=/auth/realms/testing/; SameSite=None; Secure; HttpOnly, AUTH_SESSION_ID_LEGACY=d637d240-500b-49e3-8691-74b53d98c8f5.ae2d4b6f8713; Version=1; Path=/auth/realms/testing/; Secure; HttpOnly, KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing/; Secure; HttpOnly, KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing/; Secure; HttpOnly, KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing/; Secure, KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing/; Secure, KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing; Secure; HttpOnly, KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing; Secure; HttpOnly, KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing; Secure, KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing; Secure

vs without cloudflare

set-cookie: AUTH_SESSION_ID=f1468edf-f50d-4277-962b-c1bf3218ecb6.1d35433e1005; Version=1; Path=/auth/realms/testing/; SameSite=None; Secure; HttpOnly
set-cookie: AUTH_SESSION_ID_LEGACY=f1468edf-f50d-4277-962b-c1bf3218ecb6.1d35433e1005; Version=1; Path=/auth/realms/testing/; Secure; HttpOnly
set-cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing/; Secure; HttpOnly
set-cookie: KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing/; Secure; HttpOnly
set-cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing/; Secure
set-cookie: KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing/; Secure
set-cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing; Secure; HttpOnly
set-cookie: KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing; Secure; HttpOnly
set-cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing; Secure
set-cookie: KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/testing; Secure

Has anyone else experienced any related issues, or is there anyway we can see if anything has changed in cloudflare that would cause this issue.

2 Likes
6

I believe this issue is related to the one someone else also logged today, any clarity on this would be appreciated

1 Like
7

Encountered the same problem, have a great impact on our service

2 Likes
8

We are facing the same issue, does anyone know of a workaround for this until an official answer comes?

2 Likes
9

same issue here. it is very disrupting for our application.

1 Like
10

We’re experiencing the same issue but have had silence from Cloudflare support.

https://community.cloudflare.com/t/400-errors-only-when-orange-cloud-on/304970/3

1 Like
11

We issue the same problem, please fix this.

1 Like
13

I think this is related:

3 Likes
14

Yes, looks like the same issue - thanks for pointing it out!

2 Likes
15

Apparently this is caused by chome’s accept header:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Specifically the application/signed-exchange;v=b3;q=0.9 part, removing it from the accept header returns the cookie back to normal

1 Like
16

Hi,
Can you tell me how to remove these headers? Thanks

17

Hi. One quick solution that worked for us was disabling Display your site’s actual URL on your AMP pages, instead of the traditional Google AMP cache URL. from Mobile, under Speed/Optimization.

Also purged cache after.

Hope this helps.

1 Like
18

Hi,
I tested and it works. thanks so much

1 Like
19

Hi there, we’re currently investigating this issue on our end and will follow up on the respective tickets once we know more.

2 Likes
20

Similar problem here. Experiencing a majority of our customer base not being able to login or stay logged in due to a malformed session id cookie. Only solution for us was to disable cloudflare all together since we cannot afford this much loss of revenue.

1 Like
21

Hi all,

Just a quick update. Appears there is an issue with specific Set-Cookie headers:

We have a number of engineers investigating now. Please follow the incident link above for more updates.

Best,
Sam

4 Likes