Fix multiple cookies with same name but different paths/domains

- Add generate_cookie_key function to create unique keys from domain/path/name
- Extend cookies.get() to accept optional domain and path options in opts parameter
- Store cookies with unique keys to prevent overwrites
- Maintain backward compatibility with existing API usage
- Add comprehensive tests for new functionality
- Address review feedback from PR #14056

Co-authored-by: Rich-Harris <[email protected]>

Author: Copilot

.changeset/fix-multiple-cookies-same-name.md

@@ -0,0 +1,21 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: support multiple cookies with the same name across different paths and domains
+
+Fixes issue where setting multiple cookies with the same name but different paths would overwrite each other. Now cookies are stored with unique keys based on domain, path, and name, allowing proper handling of multiple cookies with identical names but different scopes.
+
+The `cookies.get()` method has been extended to accept optional `domain` and `path` options to retrieve specific cookies:
+
+```js
+// Set cookies with same name but different paths
+cookies.set('session', 'user1', { path: '/admin' });
+cookies.set('session', 'user2', { path: '/api' });
+
+// Retrieve specific cookies
+cookies.get('session', { path: '/admin' }); // returns 'user1'
+cookies.get('session', { path: '/api' });   // returns 'user2'
+```
+
+Backward compatibility is maintained - existing code that doesn't specify domain/path continues to work as before.

packages/kit/src/exports/public.d.ts

@@ -212,9 +212,12 @@ export interface Cookies {
 	/**
 	 * Gets a cookie that was previously set with `cookies.set`, or from the request headers.
 	 * @param name the name of the cookie
-	 * @param opts the options, passed directly to `cookie.parse`. See documentation [here](https://github.com/jshttp/cookie#cookieparsestr-options)
+	 * @param opts the options, domain and path are used to find the cookie, and passed directly to `cookie.parse`. See documentation [here](https://github.com/jshttp/cookie#cookieparsestr-options)
 	 */
-	get: (name: string, opts?: import('cookie').CookieParseOptions) => string | undefined;
+	get: (
+		name: string,
+		opts?: import('cookie').CookieParseOptions & { domain?: string; path?: string }
+	) => string | undefined;
 
 	/**
 	 * Gets all cookies that were previously set with `cookies.set`, or from the request headers.

packages/kit/src/runtime/server/cookie.js

@@ -26,6 +26,21 @@ function validate_options(options) {
 	}
 }
 
+/**
+ * Generates a unique key for a cookie based on its domain, path, and name in
+ * the format: `<domain>/<path>?<name>`.
+ * If domain is undefined, it will be omitted.
+ * For example: `/?name`, `example.com/foo?name`.
+ *
+ * @param {string | undefined} domain
+ * @param {string} path
+ * @param {string} name
+ * @returns {string}
+ */
+function generate_cookie_key(domain, path, name) {
+	return `${domain || ''}${path}?${name}`;
+}
+
 /**
  * @param {Request} request
  * @param {URL} url
@@ -56,16 +71,33 @@ export function get_cookies(request, url) {
 
 		/**
 		 * @param {string} name
-		 * @param {import('cookie').CookieParseOptions} [opts]
+		 * @param {import('cookie').CookieParseOptions & {domain?: string, path?: string}} [opts]
 		 */
 		get(name, opts) {
-			const c = new_cookies[name];
-			if (
-				c &&
-				domain_matches(url.hostname, c.options.domain) &&
-				path_matches(url.pathname, c.options.path)
-			) {
-				return c.value;
+			// Try to get cookie using the unique key format if domain/path specified
+			if (opts?.domain !== undefined || opts?.path !== undefined) {
+				const cookie_key = generate_cookie_key(
+					opts?.domain, 
+					opts?.path || url?.pathname || '/', 
+					name
+				);
+				const c = new_cookies[cookie_key];
+				if (c) {
+					// When specifically requesting a cookie by domain/path, we return it directly
+					// if it exists in our storage, since the key already encodes the path/domain matching
+					return c.value;
+				}
+			}
+			
+			// Fallback: look for any cookie with this name that matches current domain/path
+			// This maintains backward compatibility
+			for (const key in new_cookies) {
+				const c = new_cookies[key];
+				if (c && c.name === name &&
+					domain_matches(url.hostname, c.options.domain) &&
+					path_matches(url.pathname, c.options.path)) {
+					return c.value;
+				}
 			}
 
 			const req_cookies = parse(header, { decode: opts?.decode });
@@ -213,10 +245,12 @@ export function get_cookies(request, url) {
 			path = resolve(normalized_url, path);
 		}
 
-		new_cookies[name] = { name, value, options: { ...options, path } };
+		// Generate unique key for cookie storage
+		const cookie_key = generate_cookie_key(options.domain, path, name);
+		new_cookies[cookie_key] = { name, value, options: { ...options, path } };
 
 		if (__SVELTEKIT_DEV__) {
-			const serialized = serialize(name, value, new_cookies[name].options);
+			const serialized = serialize(name, value, new_cookies[cookie_key].options);
 			if (new TextEncoder().encode(serialized).byteLength > MAX_COOKIE_SIZE) {
 				throw new Error(`Cookie "${name}" is too large, and will be discarded by the browser`);
 			}

packages/kit/src/runtime/server/cookie.spec.js

@@ -69,7 +69,7 @@ test('a cookie should not be present after it is deleted', () => {
 test('default values when set is called', () => {
 	const { cookies, new_cookies } = cookies_setup();
 	cookies.set('a', 'b', { path: '/' });
-	const opts = new_cookies['a']?.options;
+	const opts = new_cookies['/?a']?.options;
 	assert.equal(opts?.secure, true);
 	assert.equal(opts?.httpOnly, true);
 	assert.equal(opts?.path, '/');
@@ -79,7 +79,7 @@ test('default values when set is called', () => {
 test('default values when set is called on sub path', () => {
 	const { cookies, new_cookies } = cookies_setup({ href: 'https://example.com/foo/bar' });
 	cookies.set('a', 'b', { path: '' });
-	const opts = new_cookies['a']?.options;
+	const opts = new_cookies['/foo/bar?a']?.options;
 	assert.equal(opts?.secure, true);
 	assert.equal(opts?.httpOnly, true);
 	assert.equal(opts?.path, '/foo/bar');
@@ -89,14 +89,14 @@ test('default values when set is called on sub path', () => {
 test('default values when on localhost', () => {
 	const { cookies, new_cookies } = cookies_setup({ href: 'http://localhost:1234' });
 	cookies.set('a', 'b', { path: '/' });
-	const opts = new_cookies['a']?.options;
+	const opts = new_cookies['/?a']?.options;
 	assert.equal(opts?.secure, false);
 });
 
 test('overridden defaults when set is called', () => {
 	const { cookies, new_cookies } = cookies_setup();
 	cookies.set('a', 'b', { secure: false, httpOnly: false, sameSite: 'strict', path: '/a/b/c' });
-	const opts = new_cookies['a']?.options;
+	const opts = new_cookies['/a/b/c?a']?.options;
 	assert.equal(opts?.secure, false);
 	assert.equal(opts?.httpOnly, false);
 	assert.equal(opts?.path, '/a/b/c');
@@ -106,7 +106,7 @@ test('overridden defaults when set is called', () => {
 test('default values when delete is called', () => {
 	const { cookies, new_cookies } = cookies_setup();
 	cookies.delete('a', { path: '/' });
-	const opts = new_cookies['a']?.options;
+	const opts = new_cookies['/?a']?.options;
 	assert.equal(opts?.secure, true);
 	assert.equal(opts?.httpOnly, true);
 	assert.equal(opts?.path, '/');
@@ -117,7 +117,7 @@ test('default values when delete is called', () => {
 test('overridden defaults when delete is called', () => {
 	const { cookies, new_cookies } = cookies_setup();
 	cookies.delete('a', { secure: false, httpOnly: false, sameSite: 'strict', path: '/a/b/c' });
-	const opts = new_cookies['a']?.options;
+	const opts = new_cookies['/a/b/c?a']?.options;
 	assert.equal(opts?.secure, false);
 	assert.equal(opts?.httpOnly, false);
 	assert.equal(opts?.path, '/a/b/c');
@@ -128,15 +128,15 @@ test('overridden defaults when delete is called', () => {
 test('cannot override maxAge on delete', () => {
 	const { cookies, new_cookies } = cookies_setup();
 	cookies.delete('a', { path: '/', maxAge: 1234 });
-	const opts = new_cookies['a']?.options;
+	const opts = new_cookies['/?a']?.options;
 	assert.equal(opts?.maxAge, 0);
 });
 
 test('last cookie set with the same name wins', () => {
 	const { cookies, new_cookies } = cookies_setup();
 	cookies.set('a', 'foo', { path: '/' });
 	cookies.set('a', 'bar', { path: '/' });
-	const entry = new_cookies['a'];
+	const entry = new_cookies['/?a'];
 	assert.equal(entry?.value, 'bar');
 });
 
@@ -145,8 +145,8 @@ test('cookie names are case sensitive', () => {
 	// not that one should do this, but we follow the spec...
 	cookies.set('a', 'foo', { path: '/' });
 	cookies.set('A', 'bar', { path: '/' });
-	const entrya = new_cookies['a'];
-	const entryA = new_cookies['A'];
+	const entrya = new_cookies['/?a'];
+	const entryA = new_cookies['/?A'];
 	assert.equal(entrya?.value, 'foo');
 	assert.equal(entryA?.value, 'bar');
 });
@@ -211,5 +211,71 @@ test("set_internal isn't affected by defaults", () => {
 	set_internal('test', 'foo', options);
 
 	expect(cookies.get('test')).toEqual('foo');
-	expect(new_cookies['test']?.options).toEqual(options);
+	expect(new_cookies['/a/b/c?test']?.options).toEqual(options);
+});
+
+test('reproduce issue #13947: multiple cookies with same name but different paths', () => {
+	const { cookies } = cookies_setup();
+	
+	// Set two cookies with the same name but different paths
+	cookies.set('key', 'value1', { path: '/foo' });
+	cookies.set('key', 'value2', { path: '/bar' });
+	
+	// Both cookies should be accessible by specifying their path
+	expect(cookies.get('key', { path: '/foo' })).toEqual('value1');
+	expect(cookies.get('key', { path: '/bar' })).toEqual('value2');
+});
+
+test('cookies with same name but different domains', () => {
+	const { cookies } = cookies_setup();
+	
+	// Set two cookies with the same name but different domains
+	cookies.set('key', 'value1', { path: '/', domain: 'example.com' });
+	cookies.set('key', 'value2', { path: '/', domain: 'sub.example.com' });
+	
+	// Both cookies should be accessible by specifying their domain
+	expect(cookies.get('key', { domain: 'example.com', path: '/' })).toEqual('value1');
+	expect(cookies.get('key', { domain: 'sub.example.com', path: '/' })).toEqual('value2');
+});
+
+test('cookies with same name but different domain and path combinations', () => {
+	const { cookies } = cookies_setup();
+	
+	// Set cookies with same name but different domain/path combinations
+	cookies.set('key', 'value1', { path: '/foo', domain: 'example.com' });
+	cookies.set('key', 'value2', { path: '/bar', domain: 'example.com' });
+	cookies.set('key', 'value3', { path: '/foo', domain: 'sub.example.com' });
+	
+	// All cookies should be accessible by specifying their domain and path
+	expect(cookies.get('key', { domain: 'example.com', path: '/foo' })).toEqual('value1');
+	expect(cookies.get('key', { domain: 'example.com', path: '/bar' })).toEqual('value2');
+	expect(cookies.get('key', { domain: 'sub.example.com', path: '/foo' })).toEqual('value3');
+});
+
+test('backward compatibility: get without domain/path options still works', () => {
+	const { cookies } = cookies_setup();
+	
+	// Set a cookie the old way
+	cookies.set('old-style', 'value', { path: '/' });
+	
+	// Should be retrievable without specifying path
+	expect(cookies.get('old-style')).toEqual('value');
+});
+
+test('get with only path specified (no domain)', () => {
+	const { cookies } = cookies_setup();
+	
+	cookies.set('key', 'value', { path: '/test' });
+	
+	// Should be retrievable by path only
+	expect(cookies.get('key', { path: '/test' })).toEqual('value');
+});
+
+test('get with only domain specified (no path)', () => {
+	const { cookies } = cookies_setup();
+	
+	cookies.set('key', 'value', { path: '/', domain: 'example.com' });
+	
+	// Should be retrievable by domain only (path defaults to current URL path)
+	expect(cookies.get('key', { domain: 'example.com' })).toEqual('value');
 });

packages/kit/types/index.d.ts

@@ -189,9 +189,12 @@ declare module '@sveltejs/kit' {
 		/**
 		 * Gets a cookie that was previously set with `cookies.set`, or from the request headers.
 		 * @param name the name of the cookie
-		 * @param opts the options, passed directly to `cookie.parse`. See documentation [here](https://github.com/jshttp/cookie#cookieparsestr-options)
+		 * @param opts the options, domain and path are used to find the cookie, and passed directly to `cookie.parse`. See documentation [here](https://github.com/jshttp/cookie#cookieparsestr-options)
 		 */
-		get: (name: string, opts?: import('cookie').CookieParseOptions) => string | undefined;
+		get: (
+			name: string,
+			opts?: import('cookie').CookieParseOptions & { domain?: string; path?: string }
+		) => string | undefined;
 
 		/**
 		 * Gets all cookies that were previously set with `cookies.set`, or from the request headers.