Multiple cookies are being returned by the API against the RFC

When using sessionCookieRedirect, the 302 response contains 2 set-cookie headers for the sid cookie: one to clear it, and one to set it.

Although this works in the browser, curl, Python etc, it’s against the RFC. And httpie breaks.

https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1

Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name. (See Section 5.2 for how user agents handle this case.)

See also cookie is not being set · Issue #1463 · httpie/httpie · GitHub

It’s probably a bug, the clear cookie should have been merged with the set cookie since it overrides it. I suggest opening a support case to push it up the food chain.

FYI, the Okta Identity Engine tenants do not use the sid cookie, so eventually nobody will have any tenants with this particular problem :slight_smile:

OIE doesn’t use the sid cookie

are you sure? mine does…

Yeah. It may still be floating there but… The IDX stuff uses a new cookie to store session data on the client side, so the session key is buried in that data. It removes problems that the old /authn API has (we don’t use that API in OIE). It also explains why the /sessions API is mostly not available in OIE.

See okta-auth-js/idx.md at master · okta/okta-auth-js · GitHub about IDX.

1 Like