Skip to content

Cookies set by a custom 404/500 error page are silently dropped #17329

Description

@tsushanth

Description

When Astro renders a custom error page (404.astro/500.astro), any cookies that error page sets via Astro.cookies.set() never make it onto the final response. If the original errored page also set a cookie, the error page's cookies vanish entirely.

Root cause

packages/astro/src/core/errors/default-handler.ts (mergeResponses): the merged response's headers (newHeaders) are built by copying originalResponse.headers. Then the error page's cookies are appended to originalResponse.headers — an object already copied and no longer connected to the merged response — and only originalCookies are attached to the merged response, never newCookies. Compounding it, the seen-set guard skips all raw set-cookie values from the error response.

Steps to reproduce

Original page sets sid=abc then throws; 500.astro sets flash=boom.

  • Observed final Set-Cookie: ["sid=abc; Path=/"]
  • Expected: ["sid=abc; Path=/", "flash=boom; Path=/"]

Suggested fix

originalCookies.merge(newCookies) before attachCookiesToResponse, and/or append cookie values to the merged response's headers (not originalResponse.headers); special-case set-cookie so it bypasses the seen single-winner guard.

Metadata

Metadata

Assignees

No one assigned

    Labels

    - P4: importantViolate documented behavior or significantly impacts performance (priority)pkg: astroRelated to the core `astro` package (scope)triage: fix pendingReporter needs to verify the triage bot fix works

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions