Cant set multiple cookies in one request
ml27299 opened this issue · 1 comments
When you set multiple cookies it only sets the first one. I have an application that has a csrf middleware, it one of the first middleware to be initialized. My app has a route where a we set a token then redirect to another page in the app, whats happening is the csrf middleware runs before the route function handler. The middleware sets a cookie, then the route function runs sets another cookie, then a redirect happens.
res.cookie("token", token, defaultCookieOpts));
SERVERLESS_EXPRESS:FORWARD_REQUEST_TO_NODE_SERVER:RESPONSE
_header: 'HTTP/1.1 302 Found\r\n' +
'X-DNS-Prefetch-Control: off\r\n' +
'X-Frame-Options: SAMEORIGIN\r\n' +
'Strict-Transport-Security: max-age=15552000; includeSubDomains\r\n' +
'X-Download-Options: noopen\r\n' +
'X-Content-Type-Options: nosniff\r\n' +
'X-XSS-Protection: 1; mode=block\r\n' +
'Referrer-Policy: same-origin\r\n' +
'Surrogate-Control: no-store\r\n' +
'Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate\r\n' +
'Pragma: no-cache\r\n' +
'Expires: 0\r\n' +
'Set-Cookie: _csrf=3A2IecjCunSB9Sq2rI-i-Ani; Path=/; SameSite=Strict\r\n' +
'Set-Cookie: token= on3N6MSlyG; Path=/; Expires=Fri, 31 Dec 9999 00:00:00 GMT\r\n' +
'Location: tx/austin/math-tutors/pro-1-fFWS9tC-z?leadKey=6lfLJiBTmXR&service=UCT7ybWAds\r\n' +
'Vary: Accept\r\n' +
'Content-Type: text/html; charset=utf-8\r\n' +
'Content-Length: 204\r\n' +
'Date: Tue, 20 Dec 2022 07:48:30 GMT\r\n' +
'Connection: keep-alive\r\n' +
'\r\n',
_keepAliveTimeout: 0,
_onPendingData: [Function: noopPendingOutput],
_sent100: false,
_expect_continue: false,
req: IncomingMessage {
_readableState: [ReadableState],
_events: [Object: null prototype] {},
_eventsCount: 0,
_maxListeners: undefined,
socket: [Object],
httpVersionMajor: '1',
httpVersionMinor: '1',
httpVersion: '1.1',
complete: true,
headers: [Object],
rawHeaders: [],
trailers: {},
rawTrailers: [],
aborted: false,
DEBUG {
message: 'SERVERLESS_EXPRESS:FORWARD_RESPONSE:EVENT_SOURCE_RESPONSE_PARAMS',
statusCode: 302,
body: '[BASE64_ENCODED]',
headers: [Object: null prototype] {
'x-dns-prefetch-control': 'off',
'x-frame-options': 'SAMEORIGIN',
'strict-transport-security': 'max-age=15552000; includeSubDomains',
'x-download-options': 'noopen',
'x-content-type-options': 'nosniff',
'x-xss-protection': '1; mode=block',
'referrer-policy': 'same-origin',
'surrogate-control': 'no-store',
'cache-control': 'no-store, no-cache, must-revalidate, proxy-revalidate',
pragma: 'no-cache',
expires: '0',
'set-cookie': [
'_csrf=3A2IecjCunSB9Sq2rI-i-Ani; Path=/; SameSite=Strict',
'token=on3N6MSlyG; Path=/; Expires=Fri, 31 Dec 9999 00:00:00 GMT'
],
location: '/pros/leads',
vary: 'Accept',
'content-type': 'text/html; charset=utf-8',
'content-length': '66'
},
isBase64Encoded: true
}
DEBUG {
message: 'SERVERLESS_EXPRESS:FORWARD_RESPONSE:EVENT_SOURCE_RESPONSE',
successResponse: '{\n' +
' statusCode: 302,\n' +
" body: 'PHA+Rm91bmQuIFJlZGlyZWN0aW5nIHRvIDxhIGhyZWY9InR4L2F1c3Rpbi9tYXRoLXR1dG9ycy9wcm8tMS1mRldTOXRDLXo/bGVhZEtleT02bGZMSmlCVG1YUiZhbXA7c2VydmljZT1VQ1Q3eWJXQWRzIj50eC9hdXN0aW4vbWF0aC10dXRvcnMvcHJvLTEtZkZXUzl0Qy16P2xlYWRLZXk9NmxmTEppQlRtWFImYW1wO3NlcnZpY2U9VUNUN3liV0FkczwvYT48L3A+',\n" +
' headers: {\n' +
" 'x-dns-prefetch-control': 'off',\n" +
" 'x-frame-options': 'SAMEORIGIN',\n" +
" 'strict-transport-security': 'max-age=15552000; includeSubDomains',\n" +
" 'x-download-options': 'noopen',\n" +
" 'x-content-type-options': 'nosniff',\n" +
" 'x-xss-protection': '1; mode=block',\n" +
" 'referrer-policy': 'same-origin',\n" +
" 'surrogate-control': 'no-store',\n" +
" 'cache-control': 'no-store, no-cache, must-revalidate, proxy-revalidate',\n" +
" pragma: 'no-cache',\n" +
" expires: '0',\n" +
" 'set-cookie': '_csrf=3A2IecjCunSB9Sq2rI-i-Ani; Path=/; SameSite=Strict',\n" +
" location: 'tx/austin/math-tutors/pro-1-fFWS9tC-z?leadKey=6lfLJiBTmXR&service=UCT7ybWAds',\n" +
" vary: 'Accept',\n" +
" 'content-type': 'text/html; charset=utf-8',\n" +
" 'content-length': '204'\n" +
' },\n' +
' multiValueHeaders: undefined,\n' +
' isBase64Encoded: true\n' +
'}',
body: '[BASE64_ENCODED]'
}
I think the problem is in these lines:
But this problem is not that simple to solve, as laverdet describes in this issue: #554
For sure, the strategy of handling cookies needs to be evaluated again to be more resilient, I think the solution of stack overflow could be one possible solution for this problem.
What you can do now is maybe try activating the option of multiValueHeaders
inside AWS ALB. This will lead to the problem of reverse cookie order but at least the cookie will be set.