Set-cookie header being stripped

Why are “set-cookie” headers being stripped by CloudFlare while sending response headers to endusers.

Findings/Supporting data:

  1. Response headers being served by Section origin to CloudFlare

Response headers:
accept-ranges: bytes
cache-control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
content-encoding: br
content-length: 5285
content-type: text/html; charset=UTF-8
date: Fri, 17 Sep 2021 20:08:44 GMT
expires: Sat, 20 Mar 2021 02:02:40 GMT
pragma: no-cache
referrer-policy: no-referrer-when-downgrade
rtss: 1-1-54-ha
section-io-id: e937b9459a67ef008144bb9eed54db2e
set-cookie: SSID=CACQSR0AAAAAAADM9URhAACADcz1RGEBAAAAAAAAAAAAzPVEYQA-Wg; path=/; domain=.examplesite.com; expires=Sat, 17-Sep-2022 20:08:44 GMT
set-cookie: SSSC=1.G7008997176843960320.1|0.0; path=/; domain=.examplesite.com
set-cookie: SSRT=zPVEYQABAA; path=/; domain=.examplesitecom; expires=Sat, 17-Sep-2022 20:08:44 GMT
strict-transport-security: max-age=31536000;includeSubDomains;
vary: X-Forwarded-Proto,Accept-Encoding,User-Agent

  1. Response headers being served by CloudFlare to Enduser:

cache-control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
cf-cache-status: DYNAMIC
cf-ray: 6904f7ecc8805590-EWR
content-encoding: br
content-type: text/html; charset=UTF-8
date: Fri, 17 Sep 2021 20:08:47 GMT
expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflarecom/cdn-cgi/beacon/expect-ct
last-modified: Fri, 17 Sep 2021 19:14:45 GMT
nel: {“success_fraction”:0,“report_to”:“cf-nel”,“max_age”:604800}
pragma: public
referrer-policy: no-referrer-when-downgrade
report-to: {“endpoints”:[{“url”:“https://a.nel.cloudflarecom/report/v3?s=SFUjuZcrBSMCGQkr4iWdT0mfjkjlKJckEKj2X8R87RyN3NAhpV3lpnHLhR5tB2b0qqELNHJCJo1g2NfEHXsRlSfRxZQvp%2BdZTG%2B%2Fz%2FzdTxjCO7DGYn1bpKpnKCtvfEC%2F4LOOTWViTC0vC9O1WA%3D%3D"}],“group”:“cf-nel”,"max_age”:604800}
rtss: 1-1-54-ha
section-io-id: 6ca589dce67417c5720a2c1c738bb14e
server: cloudflare
strict-transport-security: max-age=31536000;includeSubDomains;
vary: X-Forwarded-Proto,Accept-Encoding,User-Agent

Questions:

  1. Is CloudFlare sending its own response headers to endusers instead of sending the response headers received from Section origin? If yes, how to make CloudFlare send back response headers it receives from Section origin?

  2. If CloudFlare is actually sending back to the endusers the response headers it received from Section origin, why is the “Set-cookie” header being stripped? How can we add CloudFlare to send “set-cookie” header to endusers?

That’s odd, afaik the set-cookies that you set should be preserved under all scenarios. I believe that CF recently had an issue where multiple set-cookies were set instead of sending everything in 1 single header.
Could be related but I’m just taking blind guesses here.

1 Like

@MoreHelp ticket #2259537

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.