Cant set multiple cookies in one request

[ml27299]

When you set multiple cookies it only sets the first one. I have an application that has a csrf middleware, it one of the first middleware to be initialized. My app has a route where a we set a token then redirect to another page in the app, whats happening is the csrf middleware runs before the route function handler. The middleware sets a cookie, then the route function runs sets another cookie, then a redirect happens.

res.cookie("token", token, defaultCookieOpts));

SERVERLESS_EXPRESS:FORWARD_REQUEST_TO_NODE_SERVER:RESPONSE

_header: 'HTTP/1.1 302 Found\r\n' +
      'X-DNS-Prefetch-Control: off\r\n' +
      'X-Frame-Options: SAMEORIGIN\r\n' +
      'Strict-Transport-Security: max-age=15552000; includeSubDomains\r\n' +
      'X-Download-Options: noopen\r\n' +
      'X-Content-Type-Options: nosniff\r\n' +
      'X-XSS-Protection: 1; mode=block\r\n' +
      'Referrer-Policy: same-origin\r\n' +
      'Surrogate-Control: no-store\r\n' +
      'Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate\r\n' +
      'Pragma: no-cache\r\n' +
      'Expires: 0\r\n' +
      'Set-Cookie: _csrf=3A2IecjCunSB9Sq2rI-i-Ani; Path=/; SameSite=Strict\r\n' +
      'Set-Cookie: token= on3N6MSlyG; Path=/; Expires=Fri, 31 Dec 9999 00:00:00 GMT\r\n' +
      'Location: tx/austin/math-tutors/pro-1-fFWS9tC-z?leadKey=6lfLJiBTmXR&service=UCT7ybWAds\r\n' +
      'Vary: Accept\r\n' +
      'Content-Type: text/html; charset=utf-8\r\n' +
      'Content-Length: 204\r\n' +
      'Date: Tue, 20 Dec 2022 07:48:30 GMT\r\n' +
      'Connection: keep-alive\r\n' +
      '\r\n',
    _keepAliveTimeout: 0,
    _onPendingData: [Function: noopPendingOutput],
    _sent100: false,
    _expect_continue: false,
    req: IncomingMessage {
      _readableState: [ReadableState],
      _events: [Object: null prototype] {},
      _eventsCount: 0,
      _maxListeners: undefined,
      socket: [Object],
      httpVersionMajor: '1',
      httpVersionMinor: '1',
      httpVersion: '1.1',
      complete: true,
      headers: [Object],
      rawHeaders: [],
      trailers: {},
      rawTrailers: [],
      aborted: false,

DEBUG	{
  message: 'SERVERLESS_EXPRESS:FORWARD_RESPONSE:EVENT_SOURCE_RESPONSE_PARAMS',
  statusCode: 302,
  body: '[BASE64_ENCODED]',
  headers: [Object: null prototype] {
    'x-dns-prefetch-control': 'off',
    'x-frame-options': 'SAMEORIGIN',
    'strict-transport-security': 'max-age=15552000; includeSubDomains',
    'x-download-options': 'noopen',
    'x-content-type-options': 'nosniff',
    'x-xss-protection': '1; mode=block',
    'referrer-policy': 'same-origin',
    'surrogate-control': 'no-store',
    'cache-control': 'no-store, no-cache, must-revalidate, proxy-revalidate',
    pragma: 'no-cache',
    expires: '0',
    'set-cookie': [
      '_csrf=3A2IecjCunSB9Sq2rI-i-Ani; Path=/; SameSite=Strict',
      
'token=on3N6MSlyG; Path=/; Expires=Fri, 31 Dec 9999 00:00:00 GMT'
    ],
    location: '/pros/leads',
    vary: 'Accept',
    'content-type': 'text/html; charset=utf-8',
    'content-length': '66'
  },
  isBase64Encoded: true
}

DEBUG	{
  message: 'SERVERLESS_EXPRESS:FORWARD_RESPONSE:EVENT_SOURCE_RESPONSE',
  successResponse: '{\n' +
    '  statusCode: 302,\n' +
    "  body: 'PHA+Rm91bmQuIFJlZGlyZWN0aW5nIHRvIDxhIGhyZWY9InR4L2F1c3Rpbi9tYXRoLXR1dG9ycy9wcm8tMS1mRldTOXRDLXo/bGVhZEtleT02bGZMSmlCVG1YUiZhbXA7c2VydmljZT1VQ1Q3eWJXQWRzIj50eC9hdXN0aW4vbWF0aC10dXRvcnMvcHJvLTEtZkZXUzl0Qy16P2xlYWRLZXk9NmxmTEppQlRtWFImYW1wO3NlcnZpY2U9VUNUN3liV0FkczwvYT48L3A+',\n" +
    '  headers: {\n' +
    "    'x-dns-prefetch-control': 'off',\n" +
    "    'x-frame-options': 'SAMEORIGIN',\n" +
    "    'strict-transport-security': 'max-age=15552000; includeSubDomains',\n" +
    "    'x-download-options': 'noopen',\n" +
    "    'x-content-type-options': 'nosniff',\n" +
    "    'x-xss-protection': '1; mode=block',\n" +
    "    'referrer-policy': 'same-origin',\n" +
    "    'surrogate-control': 'no-store',\n" +
    "    'cache-control': 'no-store, no-cache, must-revalidate, proxy-revalidate',\n" +
    "    pragma: 'no-cache',\n" +
    "    expires: '0',\n" +
    "    'set-cookie': '_csrf=3A2IecjCunSB9Sq2rI-i-Ani; Path=/; SameSite=Strict',\n" +
    "    location: 'tx/austin/math-tutors/pro-1-fFWS9tC-z?leadKey=6lfLJiBTmXR&service=UCT7ybWAds',\n" +
    "    vary: 'Accept',\n" +
    "    'content-type': 'text/html; charset=utf-8',\n" +
    "    'content-length': '204'\n" +
    '  },\n' +
    '  multiValueHeaders: undefined,\n' +
    '  isBase64Encoded: true\n' +
    '}',
  body: '[BASE64_ENCODED]'
}

[H4ad]

I think the problem is in these lines:

https://github.com/vendia/serverless-express/blob/75cfbffeb3fd030695b9587a75300c7b8012ac6a/src/event-sources/aws/alb.js#L47-L53

But this problem is not that simple to solve, as laverdet describes in this issue: #554

For sure, the strategy of handling cookies needs to be evaluated again to be more resilient, I think the solution of stack overflow could be one possible solution for this problem.

What you can do now is maybe try activating the option of multiValueHeaders inside AWS ALB. This will lead to the problem of reverse cookie order but at least the cookie will be set.