Feature request: allow duplicate Set-Cookie values as separate header lines

[elevran]

Title: allow response to include multiple Set-Cookie header lines

Description:
Per HTTP RFC's a response may include multiple Set-Cookie header lines.
Some client enforce this by ignoring all cookies but the first cookie when the 'Set-Cookie` header is defined as a comma-separated list [i.e., #(values)].

My understanding of Envoy's code, is that calling addCopy() on the headers will first find the existing header key then add comma separated values using appendHeaders.
This means that multiple calls to header APPEND operation with a Set-Cookie value will automatically be folded since Envoy uses a hashtable.

There are at least two ways to get the desired behavior:

1. allow duplicate headers (e.g., use a multi-set); or
2. explicitly handle Set-Cookie differently than other headers, writing multiple header lines.

The second option is, IMHO, less intrusive to the code base and can be implemented upon serialization of headers only (i.e., converting Set-Cookie: #(values) to multiple lines.
My reading of the RFC's suggests that this would be handled correctly by browsers expecting multiple lines since they'll automatically apply folding.

Is there an interest in a PR addressing this feature request?
If so, is the second option indeed preferable and should the behavior be configurable by users?

[optional Relevant Links:]
This discussed in the following Istio issue

RFC-7230 Field Order

A recipient MAY combine multiple header fields with the same field
name into one "field-name: field-value" pair, without changing the
semantics of the message, by appending each subsequent field value to
the combined field value in order, separated by a comma. The order
in which header fields with the same field name are received is
therefore significant to the interpretation of the combined field
value; a proxy MUST NOT change the order of these field values when
forwarding a message.
Note: In practice, the "Set-Cookie" header field ([RFC6265]) often
appears multiple times in a response message and does not use the
list syntax, violating the above requirements on multiple header
fields with the same name. Since it cannot be combined into a
single field-value, recipients ought to handle "Set-Cookie" as a
special case while processing header fields. (See Appendix A.2.3
of [Kri2001] for details.)

RFC-6265 Overview

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field.
The usual mechanism for folding HTTP headers fields (i.e., as defined in [RFC2616]) might
change the semantics of the Set-Cookie header field because the %x2C (",") character is
used by Set-Cookie in a way that conflicts with such folding.

[alyssawilk]

I'd be fine with either a one-off or general improvements to Envoy to not always combine headers. I think the latter would need to be permanently config guarded where if we just special cased cookies we could runtime guard (just in case it was problematic) and remove the old behavior after roll-out (as it looks recommended by the spec).
Alternately a hacky (but easy, but not guardable) workaround would be to remove SetCookie from the list of inline headers. AFIK we only collapse headers for inline headers and it looks like we only ever add to the cookie header in one place and never look it up, so we wouldn't be taking a performance hit. I think I'd prefer a one-off to the hack though, as it'd be more future-proof.
@mattklein123 for HTTP processing and @PiotrSikora because RFCs and Istio :-)

[mattklein123]

I agree the hack of removing from inline headers would probably get the job done. As long as we leave sufficient comments and have tests I would be OK with that. Agreed that everything else is a bunch more work. Would be curious to hear first from @PiotrSikora on the RFC side of this.

[PiotrSikora]

Yeah, Set-Cookie is a special snowflake. Per the RFCs quoted by @elevran, Set-Cookie mustn't be folded (since , used for folding is a legal character in Set-Cookie header value, so recipients could have trouble splitting received cookies), but all other headers should be folded.

As such, I think we should change the existing behavior only for Set-Cookie, without adding the option to not combine arbitrary headers.

[alyssawilk]

Thanks for the confirmation, Piotr.
@elevran, are you up for picking this up? If Matt's happy with the hacky fix I'm good, as long as we add a regression test with a comment pointing to this bug and why set-cookie is special so no one undoes it :-)

[elevran]

@alyssawilk - I am. I can't self assign, though.
Also, as this is my first PR on Envoy, would appreciate having some guidance to streamline code base changes. Will reach out over Slack.

[elevran]

@PiotrSikora reading https://tools.ietf.org/html/rfc6265#section-4.1.1:

 set-cookie-header = "Set-Cookie:" SP set-cookie-string
 set-cookie-string = cookie-pair *( ";" SP cookie-av )
 cookie-pair       = cookie-name "=" cookie-value
 cookie-name       = token
 cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
 cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash

So comma can not be used in cookie name or value?

[alyssawilk]

so I'm fairly confused about what's going on here.
@elevran asked for some clues of how to fix this and set-cookie isn't an inline header.
I wrote a regression test for adding multiple set cookie headers, and they stay separate
I wrote an integration test for proxying multiple set-cookie headers, and they stay separate
Checking in with elevran@ the problem was a direct response, so I added a unit test for header_formatter_test adding multiple (distinct) set cookies and they stay separate.

I'm not sure what's going on here but I'm increasingly wondering if @elevran's suspicion on slack that this is an istio-envoy interop issue is correct.

[alyssawilk]

Either way I'll check in all my tests as they're good regression tests we don't break this going forward :-P

[elevran]

Agree with @alyssawilk - this seems to be an issue on the Istio side. Set-Cookie is not automatically folded by Envoy as it is not an inline header.
The issue can be closed.