Auth_request and multiple cookies from the authentication server

Francis Daly francis at
Mon Oct 19 09:31:13 UTC 2020

On Thu, Sep 24, 2020 at 09:01:38AM +0300, Hannu Shemeikka wrote:

Hi there,

I'm afraid I don't have a great answer for you...

> It seems that the variable $upstream_http_set_cookie only contains the
> first cookie and not all cookies set by the upstream server.
> Is this variable's behavior feature or is it a bug? Is there a
> workaround for this?

I think that that is "the current implementation", and has been that way
for long enough that it is unlikely to change in the near future.

A closely-related issue is at --
basically, the same thing but for $http_X headers/variables.

There seems to be a lua-based function to get the request http headers;
I do not know if there is something similar to get the upstream response

So, for workarounds -- I do not think it is possible in pure-nginx
config. If you are willing and able to change the upstream server
to return the Set-Cookie headers as a single header, maybe that would
work? But it does appear to be a weakness in current nginx. It appears to
have been that way for a long time, and therefore has not been important
enough to any one person to design and implement a fix.

Perhaps everyone who came across it, adapted their upstreams; or switched
to using something other than nginx.

All the best,

Francis Daly        francis at

More information about the nginx mailing list