Cannot include two cookies with the same name in a response

[stevenhair]

Long story short

This is similar to #1125 except that this relates to the server rather than the client.

The server cannot send back two cookies for different subdomains that have the same name.

Expected behaviour

If multiple cookies are defined with the same name but different paths/domains, both cookies should be sent on the response.

Actual behaviour

The response only includes the last cookie set

Steps to reproduce

from aiohttp import web

response = web.Response()
response.set_cookie('foo', 'cookie for the domain', domain='localhost')
response.set_cookie('foo', 'cookie for the subdomain', domain='foo.localhost')

response.cookies will only contain the second cookie

Your environment

• Python 3.6.5
• aiohttp 3.2.1

[asvetlov]

I'm curious why do you need diffrent cookies for domain and subdomain?

[stevenhair]

My use case is that we originally set the cookie on the subdomain, but now we need to implement our SSO feature on a different subdomain. The solution is easy: just set the cookie on domain.com instead of sub.domain.com. However, we would like to delete the subdomain cookie because letting it live on could create some interesting bugs.

My use case is pretty unusual, but I suspect that this will apply to paths as well (not that you should be using cookies with the same names in that situation, either).

I think that I've found a workaround which is to do this:

response.headers['Set-Cookie'] = 'foo=""; Domain=sub.domain.com; HttpOnly; Max-Age=-1; Path=/'

[stevenhair]

It turns out that even if this worked as I expected, IE and Edge don't really care about the cookie domain when it comes to having multiple Set-Cookie headers with the same name. So even if this was changed in the aiohttp server code, it wouldn't be of much use.

I'm going to close this issue.

[asvetlov]

Agree. And workaround exists, a direct setting of response headers in complex cases sounds very reasonable to me.

[nealyip]

I've encountered this problem too.
In my case I've no control on the web server, just crawl the content from it.
However, The cookies having a same name but different path were sent to the crawler.
The cookie jar used a [domain][cookie name] dict-alike structure, so that one of them was overwritten.

[asvetlov]

You always can analyze Cookie HTTP header for complex cases from a gray zone which are not handled by aiohttp.
As an alternative, you can try to make a Pull Request for respecting sent path along with name and domain but I have a feeling that the fix is complex and cumbersome.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a [new issue] for related bugs.
If you feel like there's important points made in this discussion, please include those exceprts into that [new issue].
[new issue]: https://github.com/aio-libs/aiohttp/issues/new