fix(cookies): use lookahead heuristic for splitting Set-Cookie headers

[bytaesu]

Related to https://discord.com/channels/1288403910284935179/1477776139027087450

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
better-auth-demo	Ignored		Mar 2, 2026 8:44pm
better-auth-docs	Skipped		Mar 2, 2026 8:44pm

[pkg-pr-new]

Open in StackBlitz

@better-auth/api-key

npm i https://pkg.pr.new/@better-auth/api-key@8301

better-auth

npm i https://pkg.pr.new/better-auth@8301

auth

npm i https://pkg.pr.new/auth@8301

@better-auth/core

npm i https://pkg.pr.new/@better-auth/core@8301

@better-auth/drizzle-adapter

npm i https://pkg.pr.new/@better-auth/drizzle-adapter@8301

@better-auth/electron

npm i https://pkg.pr.new/@better-auth/electron@8301

@better-auth/expo

npm i https://pkg.pr.new/@better-auth/expo@8301

@better-auth/i18n

npm i https://pkg.pr.new/@better-auth/i18n@8301

@better-auth/kysely-adapter

npm i https://pkg.pr.new/@better-auth/kysely-adapter@8301

@better-auth/memory-adapter

npm i https://pkg.pr.new/@better-auth/memory-adapter@8301

@better-auth/mongo-adapter

npm i https://pkg.pr.new/@better-auth/mongo-adapter@8301

@better-auth/oauth-provider

npm i https://pkg.pr.new/@better-auth/oauth-provider@8301

@better-auth/passkey

npm i https://pkg.pr.new/@better-auth/passkey@8301

@better-auth/prisma-adapter

npm i https://pkg.pr.new/@better-auth/prisma-adapter@8301

@better-auth/redis-storage

npm i https://pkg.pr.new/@better-auth/redis-storage@8301

@better-auth/scim

npm i https://pkg.pr.new/@better-auth/scim@8301

@better-auth/sso

npm i https://pkg.pr.new/@better-auth/sso@8301

@better-auth/stripe

npm i https://pkg.pr.new/@better-auth/stripe@8301

@better-auth/telemetry

npm i https://pkg.pr.new/@better-auth/telemetry@8301

@better-auth/test-utils

npm i https://pkg.pr.new/@better-auth/test-utils@8301

commit: 183ab2c

[Copilot]

Pull request overview

Updates the cookie parsing utilities to more reliably split combined Set-Cookie header strings (as sometimes surfaced by Fetch/Headers implementations), especially when Expires contains commas and other tricky substrings.

Changes:

• Replace the splitSetCookieHeader implementation with a lookahead heuristic that splits only when a comma is followed by a name= pattern.
• Add additional parseSetCookieHeader tests covering multiple Expires date formats and edge cases (e.g., Expires=0, RFC 850, asctime format).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
packages/better-auth/src/cookies/cookies.test.ts	Adds regression/edge-case tests for parseSetCookieHeader around Expires and mixed cookie lists.
packages/better-auth/src/cookies/cookie-utils.ts	Implements new heuristic-based splitting for combined Set-Cookie headers to avoid mis-splitting on Expires commas.

Comments suppressed due to low confidence (1)

packages/better-auth/src/cookies/cookies.test.ts:282

• The Expires test date string uses a weekday that doesn’t match the calendar date ("Mon, 01 Jan 2026 ..."; 2026-01-01 is a Thursday). Even though parsing may ignore the weekday, keeping it consistent avoids confusing future readers and prevents potential strict parsers from failing; consider changing the weekday (or using an ISO/RFC3339 timestamp) in both the header and expected Date construction.

			"a=1; Path=/; HttpOnly, b=2; Expires=Mon, 01 Jan 2026 00:00:00 GMT; Secure, c=3; SameSite=Lax",
		);
		expect(map.get("a")?.value).toBe("1");
		expect(map.get("b")?.value).toBe("2");
		expect(map.get("b")?.expires).toEqual(
			new Date("Mon, 01 Jan 2026 00:00:00 GMT"),
		);

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cubic-dev-ai]

No issues found across 2 files

[bytaesu]

-> updating comment

[cubic-dev-ai]

No issues found across 2 files