Fastly will be at Black Hat 2022, Aug. 10-11! We’d love to connect if you will be there.
Schedule time with us at the show.

Multiple Set-Cookie Headers: same-name headers



  • Hiro

    Hi Eric,

    Thanks for reaching out. Unfortunately, beresp.http.Set-Cookie will read/write the value of the first Set-Cookie header sent by your origin at this moment.

    If you are looking to log multiple Set-Cookie headers, there is no way to architect a logging statement for subsequent Set-Cookies other than logging the value of the first one.

    However, if you are looking to deliver the response with multiple Set-Cookie headers to the client, you can achieve it at the Fastly edge. You'll need to enable custom VCL and add the following line in the vcl_deliver subroutine:

    add resp.http.Set-Cookie = <your_secod_cookie_value>;

    Best, Hiro

    Comment actions Permalink
  • errodr

    Yes, thank you. I have already done that but I need to get the extra information out of the second set-cookie header. I not only need the value but also the expires, domain, max-age, path and any other information from the set-cookie header.

    Is there any way to do this?

    Comment actions Permalink
  • Hiro

    Understood - one approach you could take is to collect all cookies, store it as a variable, and add it to the response header after separating it. This can be handled in the vcl_deliver.

    Declare a custom variable in VCL.

    declare local var.cookies STRING;

    Read and collect all cookies separated by the pipe

    (Assuming the cookie doesn't contain the pipe, and the origin returns two Set-Cookie headers).

    std.collect(resp.http.Set-Cookie, "|");

    Store it as a variable and unset the original one.

    set var.cookies = resp.http.Set-Cookie;
    unset resp.http.Set-Cookie;

    Regex logic to grab the cookie separated by the pipe.

    Add cookie everything before the pipe, and after the pipe.

    if (var.cookies ~ "([^|]*)") { 
    add resp.http.Set-Cookie =;

    #You can access/store the specific value from the First cookie by calling resp.http.Set-Cookie:<cookie-name> here

    if (var.cookies ~ "\| ([^|]*)") {
    add resp.http.Set-Cookie =;

    #You can access/store the specific value from the Second cookie by calling resp.http.Set-Cookie:<cookie-name> here

    unset resp.http.Set-Cookie;

    #Then you can build a new Set-Cookie header if necessary


    This will add two separate cookies that include the whole information to the response header. You can see the sample test here: (click run) Hope this will help to work around.

    Comment actions Permalink

Please sign in to leave a comment.