Separate cookie headers are not parsed into Request.cookies under HTTP/2

[jploskey]

I've noticed this issue when debugging a FastAPI application running under Granian, however this does seem to be a problem on the Starlette/FastAPI side. See emmett-framework/granian#539 for the original issue.

According to the HTTP/2 and ASGI specs, under HTTP/2 the client is allowed to send multiple cookie headers on a request, and ASGI should include these separate headers in the headers passed to the application; see https://asgi.readthedocs.io/en/latest/specs/www.html#http. Google Chrome, when sending requests over HTTP/2, always seems to send cookies using multiple cookie headers, which is how I discovered this issue.

Currently, when trying to access Request.cookies, only the first "Cookie" header is taken into account. While this makes sense for HTTP/1.1, when the HTTP version is 2.0 the additional headers should probably be parsed out as well.

Example

import asyncio
from starlette.applications import Starlette
from starlette.requests import Request
from starlette.responses import JSONResponse
from starlette.routing import Route
from starlette.types import Message, Receive, Scope, Send

def index(request: Request):
    print("SCOPE:", request.scope)
    print("COOKIES:", request.cookies)
    return JSONResponse({"cookies": request.cookies})

app = Starlette(
    debug=True,
    routes=[Route('/', index)]
)

scope: Scope = {
    "type": "http",
    "asgi": {
        "version": "3.0",
        "spec_version": "2.3",
    },
    "http_version": "2.0",
    "method": "GET",
    "scheme": "http",
    "path": "/",
    "raw_path": b"/",
    "query_string": b"",
    "root_path": "",
    "headers": [
        (b"cookie", b"a=abc;"),
        (b"cookie", b"b=def;"),
        (b"cookie", b"c=ghi;")
    ],
    "client": ("127.0.0.1", 10000),
    "server": ("127.0.0.1", 8000),
    "extensions": {}
}

async def send(event: Message):
    print("SEND:", event)

async def receive() -> Message:
    print("RECEIVE")
    return {}

asyncio.run(app(scope, receive, send))

Expected Output (All three cookies are parsed out):

$ python main.py
SCOPE: {'type': 'http', 'asgi': {'version': '3.0', 'spec_version': '2.3'}, 'http_version': '2.0', 'method': 'GET', 'scheme': 'http', 'path': '/', 'raw_path': b'/', 'query_string': b'', 'root_path': '', 'headers': [(b'cookie', b'a=abc;'), (b'cookie', b'b=def;'), (b'cookie', b'c=ghi;')], 'client': ('127.0.0.1', 10000), 'server': ('127.0.0.1', 8000), 'extensions': {}, 'app': <starlette.applications.Starlette object at 0x1059797f0>, 'starlette.exception_handlers': ({<class 'starlette.exceptions.HTTPException'>: <bound method ExceptionMiddleware.http_exception of <starlette.middleware.exceptions.ExceptionMiddleware object at 0x10597a510>>, <class 'starlette.exceptions.WebSocketException'>: <bound method ExceptionMiddleware.websocket_exception of <starlette.middleware.exceptions.ExceptionMiddleware object at 0x10597a510>>}, {}), 'router': <starlette.routing.Router object at 0x105979a90>, 'endpoint': <function index at 0x1050db9c0>, 'path_params': {}}
COOKIES: {'a': 'abc','b':'def','c':'ghi'}
SEND: {'type': 'http.response.start', 'status': 200, 'headers': [(b'content-length', b'43'), (b'content-type', b'application/json')]}
SEND: {'type': 'http.response.body', 'body': b'{"cookies":{"a":"abc","b":"def","c":"ghi"}}'}

Actual Output (Only the first cookie is available):

SCOPE: {'type': 'http', 'asgi': {'version': '3.0', 'spec_version': '2.3'}, 'http_version': '2.0', 'method': 'GET', 'scheme': 'http', 'path': '/', 'raw_path': b'/', 'query_string': b'', 'root_path': '', 'headers': [(b'cookie', b'a=abc;'), (b'cookie', b'b=def;'), (b'cookie', b'c=ghi;')], 'client': ('127.0.0.1', 10000), 'server': ('127.0.0.1', 8000), 'extensions': {}, 'app': <starlette.applications.Starlette object at 0x1059797f0>, 'starlette.exception_handlers': ({<class 'starlette.exceptions.HTTPException'>: <bound method ExceptionMiddleware.http_exception of <starlette.middleware.exceptions.ExceptionMiddleware object at 0x10597a510>>, <class 'starlette.exceptions.WebSocketException'>: <bound method ExceptionMiddleware.websocket_exception of <starlette.middleware.exceptions.ExceptionMiddleware object at 0x10597a510>>}, {}), 'router': <starlette.routing.Router object at 0x105979a90>, 'endpoint': <function index at 0x1050db9c0>, 'path_params': {}}
COOKIES: {'a': 'abc'}
SEND: {'type': 'http.response.start', 'status': 200, 'headers': [(b'content-length', b'23'), (b'content-type', b'application/json')]}
SEND: {'type': 'http.response.body', 'body': b'{"cookies":{"a":"abc"}}'}

Relevant code is here in starlette.datastructures:Headers:

   @property
    def cookies(self) -> dict[str, str]:
        if not hasattr(self, "_cookies"):
            cookies: dict[str, str] = {}
            cookie_header = self.headers.get("cookie")

            if cookie_header:
                cookies = cookie_parser(cookie_header)
            self._cookies = cookies
        return self._cookies

Under HTTP/2 we could use self.headers.getlist("cookie"), parse each value with cookie_parser, and merge all of them into a single dictionary.

[brian316]

Also facing this issue. doesnt follow RFC 7540 spec

[brian316]

The issue lies in this code. Only the first "cookie" header gets parsed.

https://github.com/encode/starlette/blob/6ee94f2cac955eeae68d2898a8dec8cf17b48736/starlette/requests.py#L143