router icon indicating copy to clipboard operation
router copied to clipboard
verified publisher icon TanStack

Bug: Only the last setCookie takes effect on the server route

Open Mr-Alexandre opened this issue 2 months ago • 6 comments

Which project does this relate to?

Start

Describe the bug

When trying to set multiple cookies in a server handler using setCookie, only the last cookie gets actually set in the browser. All previous setCookie calls seem to be overridden or ignored.

Your Example Website or App

https://github.com/Mr-Alexandre/bug-repro-tanstack-start-cookie

Steps to Reproduce the Bug or Issue

  1. Start the dev server (e.g., pnpm dev).
  2. Open your browser and go to http://localhost:3000/api/set-cookies.
  3. Open DevTools → Network tab → Select the request to /api/set-cookies.
  4. Check the "Set-Cookie" headers in the Response Headers.
  5. You will see that only the last cookie is set.

Expected behavior

As a user, I expected multiple Set-Cookie headers to be sent and both cookies to be set, but I am seeing only the last one is applied. The previous one is missing.

Screenshots or Videos

https://github.com/user-attachments/assets/cbbc9ff2-c8c7-44d3-9c4b-76c4471191c7

Platform

  • Router / Start Version: [e.g. 1.121.0]
  • OS: [macOS]
  • Browser: [Chrome]
  • Browser Version: [140.0.7339.214]
  • Bundler: [vite]
  • Bundler Version: [7.1.7]

Additional context

This bug happens consistently and prevents setting multiple cookies for auth/session scenarios. Possibly related to how Response headers are managed in TanStack Start server handlers.

Mr-Alexandre avatar Oct 13 '25 12:10 Mr-Alexandre

I cannot reproduce this issue from the bug example repo with the following browsers:

Zen Browser (Firefox based) 1.16.4b (Firefox 143.0.4) (64-bit) Image

Chromium Version 141.0.7390.76 (Official Build) Arch Linux (64-bit) Image

OS: Arch Linux x86_64 (Kernal Linux 6.12.51-1-lts)

It's possible I'm missing something though, just thought I'd give it a shot to see if I can track down what's happening in the H3 setCookie call but like I said, I was unable to reproduce.

juliusdelta avatar Oct 13 '25 20:10 juliusdelta

I’ve tested this issue across multiple versions and confirmed that it only appears in the latest releases.

Works correctly in: { "@tanstack/react-router": "^1.131.48", "@tanstack/react-router-devtools": "^1.131.48", "@tanstack/react-router-ssr-query": "^1.131.48", "@tanstack/react-start": "^1.131.48", "@tanstack/router-plugin": "^1.131.48" }

Bug reproduced in: { "@tanstack/react-router": "^1.132.0", "@tanstack/react-router-devtools": "^1.132.0", "@tanstack/react-router-ssr-query": "^1.131.7", "@tanstack/react-start": "^1.132.0", "@tanstack/router-plugin": "^1.132.0" }

Tested on: • Device: MacBook Pro M4 Pro • OS: macOS 15.6.1 • Browsers: • Chrome 141.0.7390.77 • Safari 18.6 (20621.3.11.11.3)

Chrome 141.0.7390.77 Image

Safari 18.6 (20621.3.11.11.3) Image

Mr-Alexandre avatar Oct 14 '25 06:10 Mr-Alexandre

I’ve identified the root cause more precisely. The issue only occurs when using Node.js v20.19.2.

After upgrading to Node.js v22.2.0, the problem no longer occurs — both cookies are properly set and received by the browser.

Working: • Node.js v22.2.0 – ✅ multiple Set-Cookie headers work

Broken: • Node.js v20.19.2 – ❌ only the last Set-Cookie is set

Mr-Alexandre avatar Oct 16 '25 05:10 Mr-Alexandre

we require node v22 at least in start

schiller-manuel avatar Oct 16 '25 18:10 schiller-manuel

hi i use BUN 1.3.0 , same bug is here too,

ecoskun87 avatar Oct 17 '25 10:10 ecoskun87

hi i use BUN 1.3.0 , same bug is here too,

zWingz avatar Nov 27 '25 08:11 zWingz