Skip to content

HTTP2 client doesn't handle multiple cookie values correctly #4451

Closed
#4453
Closed
HTTP2 client doesn't handle multiple cookie values correctly#4451
#4453
Labels
bugSomething isn't working
@peterhirn

Description

@peterhirn
peterhirn
opened on Aug 23, 2025

Bug Description

[RFC9113], Section 8.2.3

The Cookie header field [COOKIE] uses a semicolon (";") to delimit cookie-pairs (or "crumbs").

Currently the implementation has no special case for the cookie header and uses commas (",") as delimiter.

Using semicolon as delimiter should be an easy fix, otoh the linked RFC section continues:

To allow for better compression efficiency, the Cookie header field MAY be split into separate header fields, each with one or more cookie-pairs.

So maybe instead of

cookie: a=b; c=d; e=f

undici should send

cookie: a=b
cookie: c=d
cookie: e=f

🤔

Reproducible By

import http2 from "node:http2";
import { H2CClient } from "undici";

const port = process.env.PORT ?? 3001;

http2
  .createServer((req, res) => {
    console.log(req.headers);
    res.end();
  })
  .listen(port, async () => {
    const headers = { cookie: ["a=b", "c=d", "e=f"] };
    const client = new H2CClient(`http://localhost:${port}`);
    await client.request({ path: "/", method: "GET", headers });
  });
[Object: null prototype] {
  ':authority': 'localhost:3001',
  ':method': 'GET',
  ':path': '/',
  ':scheme': 'https',
  cookie: 'a=b, c=d, e=f',
  Symbol(sensitiveHeaders): [ 'cookie' ]
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions