From df04015439becae8e8c48a02cb6e1992d6040037 Mon Sep 17 00:00:00 2001
From: Laurence Rowe <l@lrowe.co.uk>
Date: Thu, 8 Feb 2018 17:18:35 -0800
Subject: [PATCH] fix: Allow multiple unmerged set-cookie headers. (#1570)

---
 lib/response.js       |  8 +++-----
 test/response.test.js | 13 +++++++++++++
 test/server.test.js   | 11 +++++++----
 3 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/lib/response.js b/lib/response.js
index 672e0ea93..0d4d69b76 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -20,12 +20,10 @@ var InternalServerError = errors.InternalServerError;
 /**
  * @private
  * Headers that cannot be multi-values.
- * @see #779, don't use comma separated values for set-cookie
- * @see #986, don't use comma separated values for content-type
- * @see http://tools.ietf.org/html/rfc6265#section-3
+ * @see #779, multiple set-cookie values are allowed only as multiple headers.
+ * @see #986, multiple content-type values / headers disallowed.
  */
 var HEADER_ARRAY_BLACKLIST = {
-    'set-cookie': true,
     'content-type': true
 };
 
@@ -188,7 +186,7 @@ function patch(Response) {
      * // => { 'x-foo': ['a', 'b'] }
      * @example
      * <caption>
-     * Note that certain headers like `set-cookie` and `content-type`
+     * Note that certain headers like `content-type`
      * do not support multiple values, so calling `header()`
      * twice for those headers will
      * overwrite the existing value.
diff --git a/test/response.test.js b/test/response.test.js
index e5865cb36..0876228fe 100644
--- a/test/response.test.js
+++ b/test/response.test.js
@@ -623,3 +623,16 @@ test('GH-1429: setting code with res.status not respected', function(t) {
         t.end();
     });
 });
+
+test('should support multiple set-cookie headers', function(t) {
+    SERVER.get('/set-cookie', function(req, res, next) {
+        res.header('Set-Cookie', 'a=1');
+        res.header('Set-Cookie', 'b=2');
+        res.send(null);
+    });
+
+    CLIENT.get(join(LOCALHOST, '/set-cookie'), function(err, _, res) {
+        t.equal(res.headers['set-cookie'].length, 2);
+        t.end();
+    });
+});
diff --git a/test/server.test.js b/test/server.test.js
index ec14d119b..0a5155978 100644
--- a/test/server.test.js
+++ b/test/server.test.js
@@ -2088,11 +2088,14 @@ test('gh-779 set-cookie fields should never have commas', function(t) {
     CLIENT.get('/set-cookie', function(err, _, res) {
         t.ifError(err);
         t.equal(
-            res.headers['set-cookie'].length,
-            1,
-            'set-cookie header should only have 1 element'
+            res.rawHeaders.filter(function(keyOrValue) {
+                return keyOrValue === 'set-cookie';
+            }).length,
+            2,
+            'multiple set-cookie headers should not be merged'
         );
-        t.equal(res.headers['set-cookie'], 'bar');
+        t.equal(res.headers['set-cookie'][0], 'foo');
+        t.equal(res.headers['set-cookie'][1], 'bar');
         t.end();
     });
 });