set-cookie header seems overwritten when using callout Go AddHeaderMutation

[laurodd]

Hello all, I hope you are doing well!

We encountered a situation where it seems the set-cookie header is being overwritten when using the callout Go, rather than allowing multiple set-cookie headers to be sent as expected.
If we do not touch the set-cookie on the sercie-extension/callout, we see the set-cookies from the origin.
It’s a fairly simple behavior to reproduce:

The origin/backend sets two cookies using http.SetCookie:

func handler(w http.ResponseWriter, r *http.Request) {
	http.SetCookie(w, &http.Cookie{
		Name:     "session_id",
		Value:    "abc123",
		HttpOnly: true,
		Path:     "/",
	})

	http.SetCookie(w, &http.Cookie{
		Name:  "user",
		Value: "willow",
		Path:  "/",
	})

	w.Write([]byte("Cookie has been set."))
}

In the callout, we try to add another set-cookie header using code similar to add_header.go:

// current behavior: we only have the set-cookie below
ResponseHeaders: utils.AddHeaderMutation([]struct{ Key, Value string }{
	{Key: "set-cookie", Value: "Value-response"},
}, nil, false, nil),

The result is that only the last set-cookie header is preserved (i.e., set-cookie: Value-response) — instead of having all the set-cookies from the origin plus the new one, we only see the new set-cookie.

We also tried setting multiple set-cookie headers directly at the callout level (by passing multiple entries to AddHeaderMutation), but the behavior remained the same: only the last set-cookie was retained.
We attempted adjusting the appendAction *base.HeaderValueOption_HeaderAppendAction, but unfortunately without success.

In case it helps, we found some relevant discussions and references in the Envoy project:

• ext_authz filter should allow multiple Set-Cookie headers to be added by the Check response envoyproxy/envoy#8649

• ext_proc: Allow multiple set-cookie response headers envoyproxy/envoy#29861

We also reviewed parts of the code in Envoy itself, particularly mutation_utils.cc.

If you have any insights on this, we deeply appreciate.

best, Lauro

[stevenzzzz]

hi Lauro,

HeaderValueOption_HeaderAppendAction is not supported in Envoy ext_proc filter yet, work tracked by Envoy issue envoyproxy/envoy#36982 and @yanjunxiang-google is working on it.

When you set the cookie, could you concatenate the multiple values into one? using the ';' delimiter.
or if you could set the "append" bit to true in the returned HeaderValueOption, it should also work.

[laurodd]

Hello @stevenzzzz ,

Thank you for your reply, much appreciated. We were able to correctly append using headerValueOption.Append.

For those facing the same situation, below is what we did:

ResponseHeaders: utils.AddHeaderMutation(*ResponseHeaders, nil, false, corev3.HeaderValueOption_APPEND_IF_EXISTS_OR_ADD.Enum()),

// callout_tools.go
if appendAction != nil {
	headerValueOption.AppendAction = *appendAction
	// fix of https://github.com/GoogleCloudPlatform/service-extensions/issues/225
	if *appendAction == base.HeaderValueOption_APPEND_IF_EXISTS_OR_ADD {
		headerValueOption.Append = &wrapperspb.BoolValue{Value: true}
	}

}

We also added the Append for some unit-tests like below

//callout_tools_test.go
		AppendAction: appendAction,
		Append:       &wrapperspb.BoolValue{Value: true},