starred/hoppscotch
1
0
Fork 0
mirror of https://github.com/hoppscotch/hoppscotch.git synced 2026-04-25 16:55:59 +03:00
Code Issues 711 Projects Releases 5 Packages Wiki Activity

[PR #5394] [MERGED] fix(relay): multiple Set-Cookie headers in resp #5181

New issue
Closed
opened 2026-03-17 02:39:17 +03:00 by kerem · 0 comments
kerem commented 2026-03-17 02:39:17 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/hoppscotch/hoppscotch/pull/5394
Author: @CuriousCorrelation
Created: 9/21/2025
Status: Merged
Merged: 9/23/2025
Merged by: @jamesgeorge007

Base: nextHead: relay-fix-multi-value-set-cookie-headers

📝 Commits (4)

  • e139b76 fix(relay): multiple Set-Cookie headers in resp
  • 1b84e78 fix: typos
  • 1f12609 fix: doc for defensive handling in resp transform
  • bd0a2df chore: cleanup

📊 Changes

8 files changed (+76 additions, -15 deletions)

View changed files

📝 packages/hoppscotch-agent/src-tauri/Cargo.lock (+1 -1)
📝 packages/hoppscotch-common/src/helpers/kernel/rest/response.ts (+49 -3)
📝 packages/hoppscotch-desktop/plugin-workspace/relay/src/transfer.rs (+16 -1)
📝 packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/Cargo.lock (+1 -1)
📝 packages/hoppscotch-desktop/src-tauri/Cargo.lock (+2 -2)
📝 packages/hoppscotch-desktop/src-tauri/Cargo.toml (+1 -1)
📝 packages/hoppscotch-kernel/package.json (+1 -1)
📝 pnpm-lock.yaml (+5 -5)

📄 Description

This is an experimental way to fix multiple Set-Cookie headers being
lost during HTTP response pre/post-processing by concat-ing them with
\n in the networking layer, so all cookies to be displayed in the
response headers panel instead of only the first one being visible.

Before After
image image

NOTE: This is an experimental workaround for the time being.
\n is used here as a separator because HTTP headers are inherently
line-oriented (\r\n on the wire). This makes it trivial to split back
into distinct Set-Cookie headers without violating RFC rules. The
next idea would be using a custom delimiter but it also would be
arbitrary and risk breaking if that delimiter ever appeared in a cookie
value. The main trade-off is that this is a fragile workaround,
unusual edge cases (e.g. malformed cookies containing newlines, or
components that normalize headers differently) may fail. A full fix
would require changing the header storage structure to support multiple
values per key (the rough idea around that is explained in FE-1008).

Closes FE-1008 (phase-1)
Closes FE-309
Closes #1546 (multiple Set-Cookie headers missing in response display)
Closes #5344 (ignoring one Set-Cookie when response has 2 values)
Closes #5375 (only shows first Set-Cookie when multiple cookies present)
Partially addresses #3532 (fixes header display, automatic cookie
storage will be handled separately).

When servers returned multiple Set-Cookie headers, only the first
header was preserved while subsequent ones were discarded.

The issue occurres because HashMap<String, String> data structure in
TransferHandler could only store one value per header name (by the
very nature of hashmaps or records for instance).

What's changed

Relay networking layer

The header processing in transfer.rs now includes special handling
just for set-cookie headers (case-insensitive accumulator). When
multiple Set-Cookie headers are encountered, they are concatenated with
newlines (why is explained above).

FE processing

Added processHeaders function in response.ts that
splits concatenated Set-Cookie headers back into separate header
entries.

Dependencies

Updated relay and tauri-plugin-relay to commits that include the
Set-Cookie concatenation fix across all target packages.

Testing

Test with any endpoints that set multiple cookies:

curl -i http://localhost:3000/multiple-cookies

or perhaps use httpbin:

curl -i -G \
--data-urlencode "Set-Cookie=sessionid=abc123; Path=/" \
--data-urlencode "Set-Cookie=csrftoken=xyz789; Path=/" \
--data-urlencode "Set-Cookie=userid=user456; Path=/" \
"https://httpbin.org/response-headers"

or even a custom server script:

const http = require('http');

const server = http.createServer((req, res) => {
  if (req.url === '/multiple-cookies') {
    res.setHeader('Set-Cookie', [
      'sessionid=abc123; Path=/',
      'csrftoken=xyz789; Path=/',
      'userid=user456; Path=/'
    ]);
    res.setHeader('Content-Type', 'application/json');
    res.end(JSON.stringify({ message: 'Multiple cookies set' }));
  }
});

Expected response headers:

Set-Cookie: sessionid=abc123; Path=/
Set-Cookie: csrftoken=xyz789; Path=/
Set-Cookie: userid=user456; Path=/

In desktop app response headers panel, all three cookies now appear as
separate header entries instead of only the first one being
visible.

Special Note On Backwards Compat

This preserves the existing HashMap<String, String> structure without
requiring changes to the RelayResponse interface or frontend header
processing pipeline since this will have a rather large ripple effect
all over the codebase. A complete fix is described in FE-1008.

Implementation notes

The comment in processHeaders should explain the rationale:

A complete solution would involve swapping Record/HashMap with a
flat array and propagating the refactor throughout the codebase, from
the underlying networking to the frontend. The problem with that
approach is you lose that O(1) lookup. A simpler approach is
HashMap<String, Vec<String>> but even that doesn't substantially
reduce the refactor surface area.

The newline concatenation also preserves O(1) header lookup
performance.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/hoppscotch/hoppscotch/pull/5394 **Author:** [@CuriousCorrelation](https://github.com/CuriousCorrelation) **Created:** 9/21/2025 **Status:** ✅ Merged **Merged:** 9/23/2025 **Merged by:** [@jamesgeorge007](https://github.com/jamesgeorge007) **Base:** `next` ← **Head:** `relay-fix-multi-value-set-cookie-headers` --- ### 📝 Commits (4) - [`e139b76`](https://github.com/hoppscotch/hoppscotch/commit/e139b76ccaa19aff05e6dcfa91036aa512db6205) fix(relay): multiple Set-Cookie headers in resp - [`1b84e78`](https://github.com/hoppscotch/hoppscotch/commit/1b84e7841570f85d94588a818fad5ed83b315e84) fix: typos - [`1f12609`](https://github.com/hoppscotch/hoppscotch/commit/1f12609511dcc7f7650850a55ef83e7c80482064) fix: doc for defensive handling in resp transform - [`bd0a2df`](https://github.com/hoppscotch/hoppscotch/commit/bd0a2df8db30ade9de3b86c9d418b2066cb50541) chore: cleanup ### 📊 Changes **8 files changed** (+76 additions, -15 deletions) <details> <summary>View changed files</summary> 📝 `packages/hoppscotch-agent/src-tauri/Cargo.lock` (+1 -1) 📝 `packages/hoppscotch-common/src/helpers/kernel/rest/response.ts` (+49 -3) 📝 `packages/hoppscotch-desktop/plugin-workspace/relay/src/transfer.rs` (+16 -1) 📝 `packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/Cargo.lock` (+1 -1) 📝 `packages/hoppscotch-desktop/src-tauri/Cargo.lock` (+2 -2) 📝 `packages/hoppscotch-desktop/src-tauri/Cargo.toml` (+1 -1) 📝 `packages/hoppscotch-kernel/package.json` (+1 -1) 📝 `pnpm-lock.yaml` (+5 -5) </details> ### 📄 Description This is an experimental way to fix multiple `Set-Cookie` headers being lost during HTTP response pre/post-processing by concat-ing them with `\n` in the networking layer, so all cookies to be displayed in the response headers panel instead of only the first one being visible. | Before | After | | --- | --- | | <img width="1328" height="888" alt="image" src="https://github.com/user-attachments/assets/0897cd7d-c718-4ddb-ac3c-3a2578956642" /> | <img width="1196" height="887" alt="image" src="https://github.com/user-attachments/assets/fd2d6e10-8e4e-4ea5-bb53-86b92e4f1f23" /> | NOTE: This is an experimental workaround for the time being. `\n` is used here as a separator because HTTP headers are inherently line-oriented (`\r\n` on the wire). This makes it trivial to split back into distinct `Set-Cookie` headers without violating RFC rules. The next idea would be using a custom delimiter but it also would be arbitrary and risk breaking if that delimiter ever appeared in a cookie value. The main trade-off is that this is a fragile workaround, unusual edge cases (e.g. malformed cookies containing newlines, or components that normalize headers differently) may fail. A full fix would require changing the header storage structure to support multiple values per key (the rough idea around that is explained in FE-1008). Closes FE-1008 (phase-1) Closes FE-309 Closes #1546 (multiple Set-Cookie headers missing in response display) Closes #5344 (ignoring one Set-Cookie when response has 2 values) Closes #5375 (only shows first Set-Cookie when multiple cookies present) Partially addresses #3532 (fixes header display, automatic cookie storage will be handled separately). When servers returned multiple `Set-Cookie` headers, only the first header was preserved while subsequent ones were discarded. The issue occurres because `HashMap<String, String>` data structure in `TransferHandler` could only store one value per header name (by the very nature of hashmaps or records for instance). ### What's changed #### Relay networking layer The header processing in `transfer.rs` now includes special handling just for `set-cookie` headers (case-insensitive accumulator). When multiple Set-Cookie headers are encountered, they are concatenated with newlines (why is explained above). #### FE processing Added `processHeaders` function in `response.ts` that splits concatenated `Set-Cookie` headers back into separate header entries. #### Dependencies Updated `relay` and `tauri-plugin-relay` to commits that include the `Set-Cookie` concatenation fix across all target packages. ### Testing Test with any endpoints that set multiple cookies: ```bash curl -i http://localhost:3000/multiple-cookies ``` or perhaps use `httpbin`: ```bash curl -i -G \ --data-urlencode "Set-Cookie=sessionid=abc123; Path=/" \ --data-urlencode "Set-Cookie=csrftoken=xyz789; Path=/" \ --data-urlencode "Set-Cookie=userid=user456; Path=/" \ "https://httpbin.org/response-headers" ``` or even a custom server script: ```javascript const http = require('http'); const server = http.createServer((req, res) => { if (req.url === '/multiple-cookies') { res.setHeader('Set-Cookie', [ 'sessionid=abc123; Path=/', 'csrftoken=xyz789; Path=/', 'userid=user456; Path=/' ]); res.setHeader('Content-Type', 'application/json'); res.end(JSON.stringify({ message: 'Multiple cookies set' })); } }); ``` #### Expected response headers: ``` Set-Cookie: sessionid=abc123; Path=/ Set-Cookie: csrftoken=xyz789; Path=/ Set-Cookie: userid=user456; Path=/ ``` In desktop app response headers panel, all three cookies now appear as separate header entries **instead of only the first one** being visible. ### Special Note On Backwards Compat This preserves the existing `HashMap<String, String>` structure without requiring changes to the `RelayResponse` interface or frontend header processing pipeline since this will have a rather large ripple effect all over the codebase. A complete fix is described in FE-1008. ### Implementation notes The comment in `processHeaders` should explain the rationale: > A complete solution would involve swapping `Record`/`HashMap` with a > flat array and propagating the refactor throughout the codebase, from > the underlying networking to the frontend. The problem with that > approach is you lose that O(1) lookup. A simpler approach is > `HashMap<String, Vec<String>>` but even that doesn't substantially > reduce the refactor surface area. The newline concatenation also preserves O(1) header lookup performance. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-03-17 02:39:17 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
chore/security-fix-2026-4-0
next
fix/mockserver-env-set-url-priority
feat/rest-gql-merge
refactor/workspaces
fix/onboarding-mass-assignment
desktop-settings-phase-0-schema-bridge-shell
patch
test-webhook
pr/johnan319/5745
tembo/optimize-performance-db-queries
add-claude-github-actions-1772782423108
fix/code-scanning-103
fix/mock-server-example-endpoint-match-v2
fix/rate-limit-on-health-route
hotfix/api-doc-collection-deletetion
cd-test
fix/mock-server-backend-followup
chore/code-scanning-52
chore/verion-addition-check
nested-migrations
scripting-system-updates-worker-setup
scripting-system-updates
pr/shipko/4367
ci-test
feat/user-delete-condition
feat/user-workspace-stats-api
chore/collection-export-addition
fix/import-file-size-limit-flow
feat/dashboard-common
feat/sort-environment-alphabetically
feat/infra-config-encryption
refactor/team
feat/collection-duplicationn
feat/secure-cookies-toggle
pr/pavog/4195
pr/pavog/4196
test/patch-demo
feat/native-interceptor-updates
pr/AndrewBastin/4111
feat/user-last-active-on
fix/codemirror-large-text-scroll-bug
fix/precision-lost-beautify
fix/env-diff-test-schema-error
fix/email-case-sensitive
release/2024.3.3
refactor/workspace-login-conversion
feat/node-apline-version-upgrade
feat/seed
release/2024.3.2
fix/sh-email-handlebar-issue
feat/app-experiment-animation
release/2024.3.1
release/2024.3.0
pr/jamesgeorge007/3937
experiment/deploychan
feat/github-enterprise-auth
refactor/collection-search-query
hotfix/infra-config-reset-bug
fix/secret-var-bug
hotfix/full-text-search
hotfix/request-variable-version-syncing
feat/request-variable
feat/server-config-additional-properties
pr/JoelJacobStephen/3845
release/2023.12.6
fix/safari-codemirror-perf-bug
release/2023.12.5
release/2023.12.4
fix/secret-env-bugs-tooltip
release/2023.12.3
fix/shared-request-bug
fix/disable-context-menu-option
release/2023.12.2
release/2023.12.1
fix/shared-request-bugs
release/2023.12.0
fix/gql-history-schema
fix/actions-not-working-without-sidebar
pr/jamesgeorge007/3665
chore/desktop-app-corrections
fix/auth-headers-in-coll
fix/embed-url
improve/placeholder
add-realtime-logos
feat/shared-request-embeds
feat/collection-headers
revamp/header
release/2023.8.4
refactor/interceptor-error-display
feat/subpath-based-access
release/2023.8.3
feat/shared-requests
feat/desktop
fix/nodemailer-templates-issue
feature/upgrade-graphql-ws
fix/graphql-crashing
fix/set-environments-when-no-env-selected
refactor/pre-prisma-bump-setup
release/2023.8.2
pr/danitherex/3216
perf/raw-db-query
release/2023.8.1
revert-3348-perf/reduce-backend-calls
fix/incorrect-tab-count-close-all-tab
fix/duplicate-tab-bug
release/2023.8.0
hotfix/fetch-shortcode
fix/tab-right-click-rename-bug
chore/docker-fixes
pr/JoelJacobStephen/3178
feat/fe-accessible-auth-provider-env
feat-cherry-pick/conditional-auth-select
feat/conditional-auth-select
release/2023.4.8
fix/generate-sitemap-issue
test/backend-test-case
refactor/team-invitation
pr/AndrewBastin/3171
release/2023.4.7
fix/duplicate-team-invite
fix/unified-bg-color-coll-tree
fix/shortcode-screen-stuck
release/2023.4.6
revert-3117-patch-3
fix/env-selector-bg
fix/db-url
release/2023.4.4
fix/sync-popup-bug
fix/team-env-set-test
chore/wss-to-ws-on-env
fix/prettify-xml-response
feat/db-volume-addition
feat/env-selector-tabs-ui
bug/broken-env
release/2023.4.2
fix/switch-workspace-env-bug
fix/magic-link
fix/cookie-handler
HPS-OSS-1
staging
revert/auth-issue
feat/export-env
refactor/commons
reference/path-variables
orphan-pr/2243
feat/realtime-search
fix/save-override
refactor/strategies
feat/embeds
bug/withDefaults
feat/show-keys
refactor/toast
2026.3.1
2026.3.0
2026.2.1
2026.2.0
2026.1.1
2026.1.0
2025.12.1
2025.12.0
2025.11.2
2025.11.1
2025.11.0
2025.10.1
2025.10.0
2025.9.2
2025.9.1
2025.9.0
2025.8.1
2025.8.0
2025.7.1
2025.7.0
2025.6.1
2025.6.0
2025.5.4
2025.5.3
2025.5.2
2025.5.1
2025.5.0
2025.4.2
2025.4.1
2025.4.0
2025.3.2
2025.3.1
2025.3.0
2025.2.3
2025.2.2
2025.2.1
2025.2.0
2025.1.1
2025.1.0
2024.12.2
2024.12.1
2024.12.0
2024.11.0
2024.10.2
2024.10.1
2024.10.0
2024.9.3
2024.9.2
2024.9.1
2024.9.0
2024.8.3
2024.8.2
2024.8.1
2024.8.0
2024.7.2
2024.7.1
2024.7.0
2024.6.1
2024.6.0
2024.3.4
2024.3.3
2024.3.2
2024.3.1
2024.3.0
2023.12.6
2023.12.5
2023.12.4
2023.12.3
2023.12.2
2023.12.1
2023.12.0
2023.8.4
2023.8.3
2023.8.2
2023.8.1
2023.8.0
2023.4.8
2023.4.7
2023.4.6
2023.4.5
2023.4.4
2023.4.3
2023.4.2
2023.4.1
2023.4.0
v3.0.1
v3.0.0
v2.2.1
v2.2.0
v2.1.0
v2.0.0
v1.12.0
v1.10.0
v1.9.9
v1.9.7
v1.9.5
v1.9.0
v1.8.0
v1.5.0
v1.0.0
v0.1.0
Labels
Clear labels   
CodeDay

   
a11y

   
browser limited

   
bug

   
bug fix

   
cli

   
core

   
critical

   
design

   
desktop

   
discussion

   
docker

   
documentation

   
duplicate

   
enterprise

   
feature

   
feature

   
fosshack

   
future

   
good first issue

   
hacktoberfest

   
help wanted

   
i18n

   
invalid

   
major

   
minor

   
need information

   
need testing

   
not applicable to hoppscotch

   
not reproducible

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
refactor

   
resolved

   
sandbox

   
self-host

   
spam

   
stale

   
testmu

   
wip

   
wont fix
No labels
CodeDay
a11y
browser limited
bug
bug fix
cli
core
critical
design
desktop
discussion
docker
documentation
duplicate
enterprise
feature
feature
fosshack
future
good first issue
hacktoberfest
help wanted
i18n
invalid
major
minor
need information
need testing
not applicable to hoppscotch
not reproducible
pull-request
question
refactor
resolved
sandbox
self-host
spam
stale
testmu
wip
wont fix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hoppscotch#5181
No description provided.