-
Notifications
You must be signed in to change notification settings - Fork 32
Description
Hello all, I hope you are doing well!
We encountered a situation where it seems the set-cookie header is being overwritten when using the callout Go, rather than allowing multiple set-cookie headers to be sent as expected.
If we do not touch the set-cookie on the sercie-extension/callout, we see the set-cookies from the origin.
It’s a fairly simple behavior to reproduce:
The origin/backend sets two cookies using http.SetCookie:
func handler(w http.ResponseWriter, r *http.Request) {
http.SetCookie(w, &http.Cookie{
Name: "session_id",
Value: "abc123",
HttpOnly: true,
Path: "/",
})
http.SetCookie(w, &http.Cookie{
Name: "user",
Value: "willow",
Path: "/",
})
w.Write([]byte("Cookie has been set."))
}
In the callout, we try to add another set-cookie header using code similar to add_header.go:
// current behavior: we only have the set-cookie below
ResponseHeaders: utils.AddHeaderMutation([]struct{ Key, Value string }{
{Key: "set-cookie", Value: "Value-response"},
}, nil, false, nil),
The result is that only the last set-cookie header is preserved (i.e., set-cookie: Value-response) — instead of having all the set-cookies from the origin plus the new one, we only see the new set-cookie.
We also tried setting multiple set-cookie headers directly at the callout level (by passing multiple entries to AddHeaderMutation), but the behavior remained the same: only the last set-cookie was retained.
We attempted adjusting the appendAction *base.HeaderValueOption_HeaderAppendAction, but unfortunately without success.
In case it helps, we found some relevant discussions and references in the Envoy project:
We also reviewed parts of the code in Envoy itself, particularly mutation_utils.cc.
If you have any insights on this, we deeply appreciate.
best, Lauro