clearCookie should probably only set one header per cookie name test case

[StefanWallin]

While developing a session termination feature in our apps I noticed that a cookie set by our session middleware to maintain cookie expiration was kept in the response even though the clearCookie was set at a later request handler. This test case attempts to replicate this circumstances.

According to https://tools.ietf.org/html/rfc6265#section-4.1.1:

Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name. (See Section 5.2 for how user agents handle this case.)

Do you want filtration of setCookie-headers like this case to be handled within the expressjs framework, if so I could create a PR to fix that, or is this something that should be handled by expressjs users?

[dougwilson]

Hi @StefanWallin that is correct, all the cookie-setting functions just add to the outbound set-cookie header correctly. res.clearCookie is just a res.cookie with an expiration in the past (the http cookie spec doesn't have a special "clear cookie" command).

Unfortunately it is quite hard to actually filter them out and thankfully the spec is SHOULD NOT and not MUST NOT. Web browsers out there currently have no issues receiving them like this and processing them in order. Part of what makes it hard to filter out is that you cannot just filter on the cookie's name -- you have to implement the full cookie-matching algorithm just to know if two of the cookies are the same cookie.