Skip to content

v3.2: Provide guidance for the Set-Cookie response header #4748

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: v3.2-dev
Choose a base branch
from
Open

v3.2: Provide guidance for the Set-Cookie response header #4748

wants to merge 4 commits into from
+69 −0

Conversation

handrews
Copy link
Member

@handrews handrews commented Jun 24, 2025
edited
Loading

Partially addresses issue #1237

The Set-Cookie response header breaks the normal rules for headers with multiple values and requires special handling.

There are two options here:

  1. Rework how we handle headers to accommodate Set-Cookie in a consistent manner
  2. Treat Set-Cookie as a special case and define how it relates to normal behavior

Since RFC9110 §5.3 advises clients to treat Set-Cookie as a special case, I went with special-casing it. This assumes the approach to header serialization that is described in PR #4648 and discussed in one of its comment threads (specifically, that it does not include the header name which is required for it to be consistent with how style: "simple" and explode are treated elsewhere and are defined in RFC6570).

  • schema changes are included in this pull request
  • schema changes are needed for this pull request but not done yet
  • no schema changes are needed for this pull request

@handrews
Provide guidance for Set-Cookie
c4b51fa 
The Set-Cookie response header breaks the normal rules for
headers with multiple values and requires special handling.
@handrews handrews added this to the v3.2.0 milestone Jun 24, 2025
@handrews handrews added media and encoding Issues regarding media type support and how to encode data (outside of query/path params) headers labels Jun 24, 2025
@handrews handrews requested review from a team as code owners June 24, 2025 00:25
This was referenced Jun 24, 2025
Draft
Open
philsturgeon
philsturgeon approved these changes Jun 30, 2025
View reviewed changes
@handrews @philsturgeon
Fix typo
dbcb692 
Co-authored-by: Phil Sturgeon <[email protected]>
@handrews
Copy link
Member Author

handrews commented Jul 3, 2025

With apologies to @philsturgeon for clearing his approval (its' set to automatically do that if anything changes) I realized we don't needallowReserved: true in that example (an earlier version I tried out did, and it was left over from that). And while I was at it I added a paragraph emphasizing that this only really matters if you need an intermedia multi-value single-string representation. If you just have an array of values and style: simple to map them to HTTP, they end results are the same as for other headers that support multiple values. Set-Cookie is only strange in that you cannot put multiple values on a single line.

@handrews
Explain when Set-Cookie workaround is needed
734129d 
Also remove a stray line from an example that didn't really hurt
but wasn't needed and could have been confusing.
@handrews
Copy link
Member Author

handrews commented Jul 4, 2025

OK apparently I was more out-of-it yesterday with this cold than I thought. Now I have added the commit that does things I mentioned in the last comment! 🤦

lornajane
lornajane reviewed Jul 8, 2025
View reviewed changes
Copy link
Contributor

@lornajane lornajane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm mostly in favour, with some minor editorial comments. Do we need to wait for the dataValue/serializedValue elements to resolve though? I see them in an example here.

src/oas.md

RFC9110 therefore advises recipients to 'handle "Set-Cookie" as a special case while processing fields,' so the OAS similarly special-cases its handling of `Set-Cookie`.

When an OAS implementation is mapping directly between the multi-`Set-Cookie:` header line format and an array representation, without any intermediate single string holding the multiple values, no special handling is needed as the behavior is the same as for headers that can be either on a single line with comma-separated values or on multiple lines.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This wasn't instantly clear to me. Multi-header? Multi-line? I think we want to explain that we're mapping between the format of multiple set-cookie headers and an array representation but I may have confused myself by now.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lornajane yeah this is a bit weird and I could use some help streamlining it. It might take a bit before I can come back and explain because I want to update PR #4673 to be more clear, which I think will help explain this. Or at least help me sort out my thoughts.

@handrews @lornajane
Better wording and grammar
120b1d5 
Co-authored-by: Lorna Jane Mitchell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lornajane lornajane lornajane left review comments

@philsturgeon philsturgeon philsturgeon approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
headers media and encoding Issues regarding media type support and how to encode data (outside of query/path params)
Projects
None yet
Milestone
v3.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@handrews @philsturgeon @lornajane