chore: version push

fix: Overriden custom cookies with pages router (#4427 )
* fix overriden cookies in pages router * Create stale-keys-guess.md * fix and add test * fix missing tests
2026-02-04 03:01:17 -05:00 · 2025-03-03 14:22:57 +05:30 · 2025-03-03 13:56:40 +05:30
36 changed files with 920 additions and 1948 deletions
--- a/.changeset/stale-keys-guess.md
+++ b/.changeset/stale-keys-guess.md
@@ -0,0 +1,5 @@
+---
+"@blitzjs/auth": patch
+---
+
+fix: Overriden custom cookies with pages router
--- a/apps/next13/CHANGELOG.md
+++ b/apps/next13/CHANGELOG.md
@@ -1,5 +1,16 @@
 # next-blitz-auth

+## 0.1.20
+
+### Patch Changes
+
+- Updated dependencies [aa033af9f]
+  - @blitzjs/auth@2.2.3
+  - @blitzjs/rpc@2.2.3
+  - @blitzjs/next@2.2.3
+  - @blitzjs/config@2.2.3
+  - blitz@2.2.3
+
 ## 0.1.19

 ### Patch Changes
--- a/apps/next13/package.json
+++ b/apps/next13/package.json
@@ -1,6 +1,6 @@
 {
  "name": "next-blitz-auth",
-  "version": "0.1.19",
+  "version": "0.1.20",
  "private": true,
  "scripts": {
    "blitz:dev": "next dev",
@@ -12,15 +12,15 @@
    "schema": "prisma/schema.prisma"
  },
  "dependencies": {
-    "@blitzjs/auth": "2.2.2",
-    "@blitzjs/config": "2.2.2",
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
+    "@blitzjs/auth": "2.2.3",
+    "@blitzjs/config": "2.2.3",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
    "@hookform/error-message": "2.0.0",
    "@hookform/resolvers": "2.9.10",
    "@prisma/client": "^4.5.0",
    "@tanstack/react-query": "4.0.10",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "flatted": "3.2.7",
    "next": "15.0.1",
    "prisma": "^4.5.0",
--- a/apps/toolkit-app-passportjs/package.json
+++ b/apps/toolkit-app-passportjs/package.json
@@ -23,14 +23,14 @@
    ]
  },
  "dependencies": {
-    "@blitzjs/auth": "2.2.2",
-    "@blitzjs/config": "2.2.2",
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
+    "@blitzjs/auth": "2.2.3",
+    "@blitzjs/config": "2.2.3",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
    "@hookform/error-message": "2.0.0",
    "@hookform/resolvers": "2.9.10",
    "@prisma/client": "6.1.0",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "next": "15.0.1",
    "openid-client": "5.2.1",
    "prisma": "6.1.0",
--- a/apps/toolkit-app/package.json
+++ b/apps/toolkit-app/package.json
@@ -24,14 +24,14 @@
    ]
  },
  "dependencies": {
-    "@blitzjs/auth": "2.2.2",
-    "@blitzjs/config": "2.2.2",
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
+    "@blitzjs/auth": "2.2.3",
+    "@blitzjs/config": "2.2.3",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
    "@hookform/error-message": "2.0.0",
    "@hookform/resolvers": "2.9.10",
    "@prisma/client": "6.1.0",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "next": "15.0.1",
    "next-auth": "4.24.7",
    "prisma": "6.1.0",
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -16,14 +16,14 @@
    "schema": "./db/schema.prisma"
  },
  "dependencies": {
-    "@blitzjs/auth": "2.2.2",
-    "@blitzjs/config": "2.2.2",
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
+    "@blitzjs/auth": "2.2.3",
+    "@blitzjs/config": "2.2.3",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
    "@prisma/client": "6.1.0",
    "@types/jest": "29.2.2",
    "@types/passport-twitter": "1.0.37",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "jest": "29.3.0",
    "jest-environment-jsdom": "29.3.0",
    "next": "15.0.1",
--- a/integration-tests/auth-with-rpc/package.json
+++ b/integration-tests/auth-with-rpc/package.json
@@ -17,14 +17,14 @@
    "prisma:studio": "prisma studio"
  },
  "dependencies": {
-    "@blitzjs/auth": "2.2.2",
-    "@blitzjs/config": "2.2.2",
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
+    "@blitzjs/auth": "2.2.3",
+    "@blitzjs/config": "2.2.3",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
    "@hookform/error-message": "2.0.0",
    "@hookform/resolvers": "2.9.10",
    "@prisma/client": "6.1.0",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "delay": "5.0.0",
    "next": "15.0.1",
    "prisma": "6.1.0",
--- a/integration-tests/auth/package.json
+++ b/integration-tests/auth/package.json
@@ -17,11 +17,11 @@
    "prisma:studio": "prisma studio"
  },
  "dependencies": {
-    "@blitzjs/auth": "2.2.2",
-    "@blitzjs/config": "2.2.2",
-    "@blitzjs/next": "2.2.2",
+    "@blitzjs/auth": "2.2.3",
+    "@blitzjs/config": "2.2.3",
+    "@blitzjs/next": "2.2.3",
    "@prisma/client": "6.1.0",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "lowdb": "3.0.0",
    "next": "15.0.1",
    "prisma": "6.1.0",
--- a/integration-tests/get-initial-props/package.json
+++ b/integration-tests/get-initial-props/package.json
@@ -16,11 +16,11 @@
    "schema": "db/schema.prisma"
  },
  "dependencies": {
-    "@blitzjs/auth": "2.2.2",
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
+    "@blitzjs/auth": "2.2.3",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
    "@prisma/client": "6.1.0",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "lowdb": "2.1.0",
    "next": "15.0.1",
    "prisma": "6.1.0",
@@ -28,7 +28,7 @@
    "react-dom": "19.0.0"
  },
  "devDependencies": {
-    "@blitzjs/config": "2.2.2",
+    "@blitzjs/config": "2.2.3",
    "@next/bundle-analyzer": "12.0.8",
    "@types/express": "4.17.13",
    "@types/fs-extra": "9.0.13",
--- a/integration-tests/middleware/package.json
+++ b/integration-tests/middleware/package.json
@@ -11,10 +11,10 @@
    "clean": "rm -rf .turbo && rm -rf node_modules && rm -rf .next"
  },
  "dependencies": {
-    "@blitzjs/config": "2.2.2",
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
-    "blitz": "2.2.2",
+    "@blitzjs/config": "2.2.3",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
+    "blitz": "2.2.3",
    "next": "15.0.1",
    "react": "19.0.0",
    "react-dom": "19.0.0"
--- a/integration-tests/next-13-app-dir/package.json
+++ b/integration-tests/next-13-app-dir/package.json
@@ -17,12 +17,12 @@
    "prisma:studio": "prisma studio"
  },
  "dependencies": {
-    "@blitzjs/auth": "2.2.2",
-    "@blitzjs/config": "2.2.2",
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
+    "@blitzjs/auth": "2.2.3",
+    "@blitzjs/config": "2.2.3",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
    "@prisma/client": "6.1.0",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "lowdb": "2.1.0",
    "next": "15.0.1",
    "prisma": "6.1.0",
--- a/integration-tests/no-suspense/package.json
+++ b/integration-tests/no-suspense/package.json
@@ -16,11 +16,11 @@
    "prisma:studio": "prisma studio"
  },
  "dependencies": {
-    "@blitzjs/auth": "2.2.2",
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
+    "@blitzjs/auth": "2.2.3",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
    "@prisma/client": "6.1.0",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "lowdb": "3.0.0",
    "next": "15.0.1",
    "prisma": "6.1.0",
@@ -28,7 +28,7 @@
    "react-dom": "19.0.0"
  },
  "devDependencies": {
-    "@blitzjs/config": "2.2.2",
+    "@blitzjs/config": "2.2.3",
    "@next/bundle-analyzer": "12.0.8",
    "@types/express": "4.17.13",
    "@types/fs-extra": "9.0.13",
--- a/integration-tests/qm/package.json
+++ b/integration-tests/qm/package.json
@@ -8,13 +8,13 @@
    "clean": "rm -rf .turbo && rm -rf node_modules"
  },
  "dependencies": {
-    "@blitzjs/auth": "2.2.2",
-    "@blitzjs/config": "2.2.2",
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
+    "@blitzjs/auth": "2.2.3",
+    "@blitzjs/config": "2.2.3",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
    "@prisma/client": "6.1.0",
    "@tanstack/react-query": "4.0.10",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "next": "15.0.1",
    "prisma": "6.1.0",
    "react": "19.0.0",
--- a/integration-tests/react-query-utils/package.json
+++ b/integration-tests/react-query-utils/package.json
@@ -16,10 +16,10 @@
    "schema": "db/schema.prisma"
  },
  "dependencies": {
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
    "@prisma/client": "6.1.0",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "lowdb": "3.0.0",
    "next": "15.0.1",
    "prisma": "6.1.0",
@@ -27,7 +27,7 @@
    "react-dom": "19.0.0"
  },
  "devDependencies": {
-    "@blitzjs/config": "2.2.2",
+    "@blitzjs/config": "2.2.3",
    "@next/bundle-analyzer": "12.0.8",
    "@types/express": "4.17.13",
    "@types/fs-extra": "9.0.13",
--- a/integration-tests/rpc-path-root/package.json
+++ b/integration-tests/rpc-path-root/package.json
@@ -7,10 +7,10 @@
    "clean": "rm -rf .turbo && rm -rf node_modules && rm -rf .next"
  },
  "dependencies": {
-    "@blitzjs/config": "2.2.2",
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
-    "blitz": "2.2.2",
+    "@blitzjs/config": "2.2.3",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
+    "blitz": "2.2.3",
    "next": "15.0.1",
    "react": "19.0.0",
    "react-dom": "19.0.0"
--- a/integration-tests/rpc/package.json
+++ b/integration-tests/rpc/package.json
@@ -7,10 +7,10 @@
    "clean": "rm -rf .turbo && rm -rf node_modules && rm -rf .next"
  },
  "dependencies": {
-    "@blitzjs/config": "2.2.2",
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
-    "blitz": "2.2.2",
+    "@blitzjs/config": "2.2.3",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
+    "blitz": "2.2.3",
    "next": "15.0.1",
    "react": "19.0.0",
    "react-dom": "19.0.0"
--- a/integration-tests/trailing-slash/package.json
+++ b/integration-tests/trailing-slash/package.json
@@ -16,11 +16,11 @@
    "schema": "db/schema.prisma"
  },
  "dependencies": {
-    "@blitzjs/auth": "2.2.2",
-    "@blitzjs/next": "2.2.2",
-    "@blitzjs/rpc": "2.2.2",
+    "@blitzjs/auth": "2.2.3",
+    "@blitzjs/next": "2.2.3",
+    "@blitzjs/rpc": "2.2.3",
    "@prisma/client": "6.1.0",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "lowdb": "3.0.0",
    "next": "15.0.1",
    "prisma": "6.1.0",
@@ -28,7 +28,7 @@
    "react-dom": "19.0.0"
  },
  "devDependencies": {
-    "@blitzjs/config": "2.2.2",
+    "@blitzjs/config": "2.2.3",
    "@next/bundle-analyzer": "12.0.8",
    "@types/express": "4.17.13",
    "@types/fs-extra": "9.0.13",
--- a/integration-tests/utils/package.json
+++ b/integration-tests/utils/package.json
@@ -3,9 +3,9 @@
  "version": "0.0.0",
  "private": true,
  "devDependencies": {
-    "@blitzjs/config": "workspace:2.2.2",
-    "@blitzjs/next": "workspace:2.2.2",
-    "@blitzjs/rpc": "workspace:2.2.2",
+    "@blitzjs/config": "workspace:2.2.3",
+    "@blitzjs/next": "workspace:2.2.3",
+    "@blitzjs/rpc": "workspace:2.2.3",
    "@tanstack/react-query": "4.13.0",
    "@testing-library/react": "16.0.1",
    "@types/express": "4.17.13",
--- a/packages/blitz-auth/CHANGELOG.md
+++ b/packages/blitz-auth/CHANGELOG.md
@@ -1,5 +1,12 @@
 # @blitzjs/auth

+## 2.2.3
+
+### Patch Changes
+
+- aa033af9f: fix: Overriden custom cookies with pages router
+  - blitz@2.2.3
+
 ## 2.2.2

 ### Patch Changes
--- a/packages/blitz-auth/package.json
+++ b/packages/blitz-auth/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@blitzjs/auth",
-  "version": "2.2.2",
+  "version": "2.2.3",
  "homepage": "https://blitzjs.com/",
  "repository": {
    "type": "git",
@@ -50,7 +50,7 @@
    "url": "0.11.0"
  },
  "peerDependencies": {
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "next": "*",
    "next-auth": "*",
    "secure-password": "4.0.0"
@@ -67,14 +67,14 @@
    }
  },
  "devDependencies": {
-    "@blitzjs/config": "2.2.2",
+    "@blitzjs/config": "2.2.3",
    "@testing-library/react": "16.0.1",
    "@types/cookie": "0.4.1",
    "@types/debug": "4.1.7",
    "@types/jsonwebtoken": "8.5.8",
    "@types/react": "npm:types-react@19.0.0",
    "@types/react-dom": "npm:types-react-dom@19.0.0",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "next": "15.0.1",
    "next-auth": "4.24.7",
    "react": "19.0.0",
--- a/packages/blitz-auth/src/server/auth-sessions.test.ts
+++ b/packages/blitz-auth/src/server/auth-sessions.test.ts
@@ -0,0 +1,226 @@
+import {expect, describe, it, beforeEach} from "vitest"
+import {ServerResponse} from "http"
+import {Writable} from "stream"
+import {append} from "./auth-sessions"
+
+class MockServerResponse extends Writable {
+  private headers: Map<string, string | string[]> = new Map()
+
+  getHeader(name: string) {
+    return this.headers.get(name)
+  }
+
+  setHeader(name: string, value: string | string[]) {
+    this.headers.set(name, value)
+  }
+
+  getHeaders() {
+    return Object.fromEntries(this.headers)
+  }
+
+  _write(_chunk: unknown, _encoding: string, callback: (error?: Error | null) => void): void {
+    callback()
+  }
+}
+
+describe("append", () => {
+  let res: ServerResponse
+  const COOKIE_PREFIX = "auth-tests-cookie-prefix_s"
+
+  beforeEach(() => {
+    res = new MockServerResponse() as unknown as ServerResponse
+  })
+
+  describe("Blitz Auth Flows", () => {
+    const anonymousSessionCookie = `${COOKIE_PREFIX}AnonymousSessionToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJibGl0empzIjp7ImlzQW5vbnltb3VzIjp0cnVlLCJoYW5kbGUiOiJEVjk4OVZadFpra0lpWHFSOFRPX3Fvem44MHBwWFBnaDphand0IiwicHVibGljRGF0YSI6eyJ1c2VySWQiOm51bGx9LCJhbnRpQ1NSRlRva2VuIjoiM25BdDBZWVI0b0xDNnAtTm1fQW1CeFQxRmJmVmpiaXMifSwiaWF0IjoxNzQwODA0NTE4LCJhdWQiOiJibGl0empzIiwiaXNzIjoiYmxpdHpqcyIsInN1YiI6ImFub255bW91cyJ9.ZpMxWh3Yq2Qe4BXzZ61d4V0YGV2luswF7ovE90DxURM; Path=/; Expires=Thu, 28 Feb 2030 04:48:38 GMT; HttpOnly; SameSite=Lax`
+    const antiCsrfCookie = `${COOKIE_PREFIX}AntiCsrfToken=3nAt0YYR4oLC6p-Nm_AmBxT1FbfVjbis; Path=/; Expires=Thu, 28 Feb 2030 04:48:38 GMT; SameSite=Lax`
+    const publicDataCookie = `${COOKIE_PREFIX}PublicDataToken=eyJ1c2VySWQiOm51bGx9; Path=/; Expires=Thu, 28 Feb 2030 04:48:38 GMT; SameSite=Lax`
+
+    const expiredSessionCookie = `${COOKIE_PREFIX}SessionToken=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Lax`
+    const expiredAnonymousCookie = `${COOKIE_PREFIX}AnonymousSessionToken=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Lax`
+
+    // Login cookies
+    const loginAntiCsrfCookie = `${COOKIE_PREFIX}AntiCsrfToken=1s3yaYs0yThO-DwOuiepJLzycvN090tO; Path=/; Expires=Mon, 31 Mar 2025 04:48:38 GMT; SameSite=Lax`
+    const loginPublicDataCookie = `${COOKIE_PREFIX}PublicDataToken=eyJ1c2VySWQiOjEsInJvbGUiOiJ1c2VyIn0%3D; Path=/; Expires=Mon, 31 Mar 2025 04:48:38 GMT; SameSite=Lax`
+    const loginSessionCookie = `${COOKIE_PREFIX}SessionToken=aGNjc0o5anJ5eTF4bDdqRE5VN09LeEx5QUJoR2toUjc6b3RzO1NaWC1la3YydGR4UGNjWVp6QkM0SlBQbUdWWmZEMlpFOzhhYWU1MDI2M2Q0YmUyNDIxZWYwNDBmMmFhZGI2MDk4YTNiNjhjMTAyZjlmNmNjYTQ4NzUzMGZiYjc0ZTdhYmI7djA%3D; Path=/; Expires=Mon, 31 Mar 2025 04:48:38 GMT; HttpOnly; SameSite=Lax`
+
+    it("should handle anonymous session cookies", () => {
+      append(res, "Set-Cookie", [anonymousSessionCookie, antiCsrfCookie, publicDataCookie])
+
+      const cookies = res.getHeader("Set-Cookie") as string[]
+      expect(cookies).toHaveLength(3)
+      expect(cookies[0]).toBe(anonymousSessionCookie)
+      expect(cookies[1]).toBe(antiCsrfCookie)
+      expect(cookies[2]).toBe(publicDataCookie)
+    })
+
+    it("should deduplicate cookies when the same one is set twice", () => {
+      append(res, "Set-Cookie", anonymousSessionCookie)
+      append(res, "Set-Cookie", anonymousSessionCookie)
+
+      const cookies = res.getHeader("Set-Cookie") as string[]
+      expect(cookies).toHaveLength(1)
+      expect(cookies[0]).toBe(anonymousSessionCookie)
+    })
+
+    it("should replace cookies with same name when values change", () => {
+      append(res, "Set-Cookie", anonymousSessionCookie)
+
+      const updatedAnonymousCookie = `${COOKIE_PREFIX}AnonymousSessionToken=NEW_TOKEN_VALUE; Path=/; SameSite=Lax`
+      append(res, "Set-Cookie", updatedAnonymousCookie)
+
+      const cookies = res.getHeader("Set-Cookie") as string[]
+      expect(cookies).toHaveLength(1)
+      expect(cookies[0]).toBe(updatedAnonymousCookie)
+    })
+
+    it("should handle session expiration", () => {
+      // First add anonymous session
+      append(res, "Set-Cookie", [anonymousSessionCookie, antiCsrfCookie, publicDataCookie])
+
+      append(res, "Set-Cookie", [expiredSessionCookie, expiredAnonymousCookie])
+
+      const cookies = res.getHeader("Set-Cookie") as string[]
+      expect(cookies).toHaveLength(4)
+
+      expect(cookies.find((c) => c === expiredSessionCookie)).toBeDefined()
+      expect(cookies.find((c) => c === expiredAnonymousCookie)).toBeDefined()
+    })
+
+    it("should handle login flow cookies", () => {
+      // First anonymous session
+      append(res, "Set-Cookie", [anonymousSessionCookie, antiCsrfCookie, publicDataCookie])
+
+      // Then login, which expires anonymous and sets new session
+      append(res, "Set-Cookie", [
+        expiredAnonymousCookie,
+        loginSessionCookie,
+        loginAntiCsrfCookie,
+        loginPublicDataCookie,
+      ])
+
+      const cookies = res.getHeader("Set-Cookie") as string[]
+
+      // Should have 4 cookies:
+      // - Original antiCsrf cookie (should be replaced by login one)
+      // - Expired anonymous cookie
+      // - Login session cookie
+      // - Login publicData cookie
+      expect(cookies).toHaveLength(4)
+
+      // Check proper replacement by extracting cookie names
+      const cookieNames = cookies.map((c) => {
+        const namePart = c.substring(0, c.indexOf("="))
+        return namePart
+      })
+
+      expect(cookieNames.filter((n) => n === `${COOKIE_PREFIX}AntiCsrfToken`)).toHaveLength(1)
+      expect(cookieNames.filter((n) => n === `${COOKIE_PREFIX}PublicDataToken`)).toHaveLength(1)
+      expect(cookieNames.filter((n) => n === `${COOKIE_PREFIX}SessionToken`)).toHaveLength(1)
+      // the expired cookie
+      expect(cookieNames.filter((n) => n === `${COOKIE_PREFIX}AnonymousSessionToken`)).toHaveLength(
+        1,
+      )
+    })
+
+    it("should properly combine multiple append calls with different cookie groups", () => {
+      append(res, "Set-Cookie", [anonymousSessionCookie, antiCsrfCookie])
+
+      append(res, "Set-Cookie", [publicDataCookie, loginAntiCsrfCookie])
+
+      const cookies = res.getHeader("Set-Cookie") as string[]
+
+      expect(cookies).toHaveLength(3)
+
+      const antiCsrfCookies = cookies.filter((c) => c.includes(`${COOKIE_PREFIX}AntiCsrfToken`))
+      expect(antiCsrfCookies).toHaveLength(1)
+      expect(antiCsrfCookies[0]).toBe(loginAntiCsrfCookie)
+    })
+
+    it("should handle the full session flow", () => {
+      append(res, "Set-Cookie", [anonymousSessionCookie, antiCsrfCookie, publicDataCookie])
+
+      const initialCookies = res.getHeader("Set-Cookie") as string[]
+      expect(initialCookies).toHaveLength(3)
+
+      append(res, "Set-Cookie", [
+        expiredAnonymousCookie,
+        loginSessionCookie,
+        loginAntiCsrfCookie,
+        loginPublicDataCookie,
+      ])
+      const loginCookies = res.getHeader("Set-Cookie") as string[]
+      expect(loginCookies).toHaveLength(4)
+
+      append(res, "Set-Cookie", [
+        expiredSessionCookie,
+        anonymousSessionCookie,
+        antiCsrfCookie,
+        publicDataCookie,
+      ])
+      const logoutCookies = res.getHeader("Set-Cookie") as string[]
+      expect(logoutCookies).toHaveLength(4)
+
+      const cookies = res.getHeader("Set-Cookie") as string[]
+
+      const cookieNames = cookies.map((c) => c.substring(0, c.indexOf("=")))
+
+      const counts = cookieNames.reduce((acc, name) => {
+        acc[name] = (acc[name] || 0) + 1
+        return acc
+      }, {} as Record<string, number>)
+
+      expect(Object.keys(counts).length).toBe(4)
+
+      Object.values(counts).forEach((count) => {
+        expect(count).toBeLessThanOrEqual(3)
+      })
+    })
+
+    it("should handle cookies with quoted values and special characters", () => {
+      const specialCookie = `${COOKIE_PREFIX}PublicDataToken="eyJ1c2VySWQiOjEsIm5hbWUiOiJKb2huIERvZSwgSnIuIn0%3D"; Path=/; SameSite=Lax`
+      append(res, "Set-Cookie", specialCookie)
+
+      const cookies = res.getHeader("Set-Cookie") as string[]
+      expect(cookies).toHaveLength(1)
+      expect(cookies[0]).toBe(specialCookie)
+    })
+
+    it("should properly merge with existing custom cookies already in the response", () => {
+      const customCookie1 = "custom1=value1; Path=/; HttpOnly"
+      const customCookie2 = "custom2=value2; Path=/; HttpOnly"
+      const existingAuthCookie = `${COOKIE_PREFIX}AntiCsrfToken=old-token; Path=/; SameSite=Lax`
+
+      res.setHeader("Set-Cookie", [customCookie1, customCookie2, existingAuthCookie])
+
+      // login
+      append(res, "Set-Cookie", [anonymousSessionCookie, loginAntiCsrfCookie, publicDataCookie])
+
+      const cookies = res.getHeader("Set-Cookie") as string[]
+
+      expect(cookies).toHaveLength(5)
+
+      // Custom cookies should be preserved
+      expect(cookies).toContain(customCookie1)
+      expect(cookies).toContain(customCookie2)
+
+      // Auth cookies should be correctly applied, with antiCsrf being updated
+      expect(cookies).toContain(anonymousSessionCookie)
+      expect(cookies).toContain(loginAntiCsrfCookie)
+      expect(cookies).toContain(publicDataCookie)
+
+      // The old auth cookie should be replaced
+      expect(cookies).not.toContain(existingAuthCookie)
+
+      // Verify we have the right counts of each cookie type
+      const cookieNames = cookies.map((c) => c.substring(0, c.indexOf("=")))
+      expect(cookieNames.filter((n) => n === "custom1")).toHaveLength(1)
+      expect(cookieNames.filter((n) => n === "custom2")).toHaveLength(1)
+      expect(cookieNames.filter((n) => n === `${COOKIE_PREFIX}AnonymousSessionToken`)).toHaveLength(
+        1,
+      )
+      expect(cookieNames.filter((n) => n === `${COOKIE_PREFIX}AntiCsrfToken`)).toHaveLength(1)
+      expect(cookieNames.filter((n) => n === `${COOKIE_PREFIX}PublicDataToken`)).toHaveLength(1)
+    })
+  })
+})
--- a/packages/blitz-auth/src/server/auth-sessions.ts
+++ b/packages/blitz-auth/src/server/auth-sessions.ts
@@ -468,7 +468,7 @@ export class SessionContextClass implements SessionContext {
    if (response instanceof Response) {
      response.headers.append("Set-Cookie", cookieHeaders!)
    } else {
-      response.setHeader("Set-Cookie", splitCookiesString(cookieHeaders!))
+      append(response, "Set-Cookie", splitCookiesString(cookieHeaders!))
    }

    const headers = this._headers.entries()
@@ -1249,12 +1249,31 @@ export async function setPublicDataForUser(userId: PublicData["userId"], data: R
 * @param {string} field
 * @param {string| string[]} val
 */
-function append(res: ServerResponse, field: string, val: string | string[]) {
+export function append(res: ServerResponse, field: string, val: string | string[]) {
  let prev: string | string[] | undefined = res.getHeader(field) as string | string[] | undefined
  let value = val

-  if (prev !== undefined) {
-    // concat the new and prev vals
+  if (field.toLowerCase() === "set-cookie") {
+    const prevCookies = prev ? (Array.isArray(prev) ? prev : [prev]) : []
+    const newCookies = Array.isArray(val) ? val : [val]
+
+    const allCookies = [...prevCookies, ...newCookies].reduce((acc: string[], cookieHeader) => {
+      return acc.concat(splitCookiesString(cookieHeader))
+    }, [])
+
+    const cookieMap = new Map()
+    allCookies.forEach((cookieStr) => {
+      const firstSemicolon = cookieStr.indexOf(";")
+      const cookieNameValue = firstSemicolon > -1 ? cookieStr.slice(0, firstSemicolon) : cookieStr
+      const parsed = cookie.parse(cookieNameValue)
+      const name = Object.keys(parsed)[0]
+      if (name) {
+        cookieMap.set(name, cookieStr)
+      }
+    })
+
+    value = Array.from(cookieMap.values())
+  } else if (prev !== undefined) {
    value = Array.isArray(prev)
      ? prev.concat(val)
      : Array.isArray(val)
@@ -1263,7 +1282,6 @@ function append(res: ServerResponse, field: string, val: string | string[]) {
  }

  value = Array.isArray(value) ? value.map(String) : String(value)
-
  res.setHeader(field, value)
  return res
 }
--- a/packages/blitz-next/CHANGELOG.md
+++ b/packages/blitz-next/CHANGELOG.md
@@ -1,5 +1,12 @@
 # @blitzjs/next

+## 2.2.3
+
+### Patch Changes
+
+- @blitzjs/rpc@2.2.3
+- blitz@2.2.3
+
 ## 2.2.2

 ### Patch Changes
--- a/packages/blitz-next/package.json
+++ b/packages/blitz-next/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@blitzjs/next",
-  "version": "2.2.2",
+  "version": "2.2.3",
  "homepage": "https://blitzjs.com/",
  "repository": {
    "type": "git",
@@ -29,7 +29,7 @@
    "eslint.js"
  ],
  "dependencies": {
-    "@blitzjs/rpc": "2.2.2",
+    "@blitzjs/rpc": "2.2.3",
    "@types/hoist-non-react-statics": "3.3.1",
    "copy-webpack-plugin": "11.0.0",
    "debug": "4.3.3",
@@ -39,13 +39,13 @@
    "supports-color": "8.1.1"
  },
  "peerDependencies": {
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "next": "*",
    "react": "*",
    "tslog": "4.9.0"
  },
  "devDependencies": {
-    "@blitzjs/config": "2.2.2",
+    "@blitzjs/config": "2.2.3",
    "@testing-library/dom": "8.13.0",
    "@testing-library/jest-dom": "5.16.3",
    "@testing-library/react": "16.0.1",
@@ -55,7 +55,7 @@
    "@types/react": "npm:types-react@19.0.0",
    "@types/react-dom": "npm:types-react-dom@19.0.0",
    "@types/testing-library__react-hooks": "4.0.0",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "cross-spawn": "7.0.3",
    "find-up": "4.1.0",
    "next": "15.0.1",
--- a/packages/blitz-rpc/CHANGELOG.md
+++ b/packages/blitz-rpc/CHANGELOG.md
@@ -1,5 +1,11 @@
 # @blitzjs/rpc

+## 2.2.3
+
+### Patch Changes
+
+- blitz@2.2.3
+
 ## 2.2.2

 ### Patch Changes
--- a/packages/blitz-rpc/package.json
+++ b/packages/blitz-rpc/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@blitzjs/rpc",
-  "version": "2.2.2",
+  "version": "2.2.3",
  "homepage": "https://blitzjs.com/",
  "repository": {
    "type": "git",
@@ -37,18 +37,18 @@
  },
  "peerDependencies": {
    "@tanstack/query-core": "4.24.4",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "next": "*",
    "react": "*"
  },
  "devDependencies": {
-    "@blitzjs/auth": "2.2.2",
-    "@blitzjs/config": "2.2.2",
+    "@blitzjs/auth": "2.2.3",
+    "@blitzjs/config": "2.2.3",
    "@tanstack/query-core": "4.24.4",
    "@types/debug": "4.1.7",
    "@types/react": "npm:types-react@19.0.0",
    "@types/react-dom": "npm:types-react-dom@19.0.0",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "next": "15.0.1",
    "react": "19.0.0",
    "react-dom": "19.0.0",
--- a/packages/blitz/CHANGELOG.md
+++ b/packages/blitz/CHANGELOG.md
--- a/packages/blitz/package.json
+++ b/packages/blitz/package.json
@@ -1,6 +1,6 @@
 {
  "name": "blitz",
-  "version": "2.2.2",
+  "version": "2.2.3",
  "homepage": "https://blitzjs.com/",
  "repository": {
    "type": "git",
@@ -30,7 +30,7 @@
    "blitz": "bin/blitz"
  },
  "dependencies": {
-    "@blitzjs/generator": "2.2.2",
+    "@blitzjs/generator": "2.2.3",
    "@mrleebo/prisma-ast": "0.4.1",
    "@types/global-agent": "2.1.1",
    "arg": "5.0.1",
@@ -80,7 +80,7 @@
    "watchpack": "2.1.1"
  },
  "devDependencies": {
-    "@blitzjs/config": "2.2.2",
+    "@blitzjs/config": "2.2.3",
    "@types/cookie": "0.4.1",
    "@types/cross-spawn": "6.0.2",
    "@types/debug": "4.1.7",
--- a/packages/codemod/CHANGELOG.md
+++ b/packages/codemod/CHANGELOG.md
@@ -1,5 +1,12 @@
 # @blitzjs/codemod

+## 2.2.3
+
+### Patch Changes
+
+- @blitzjs/generator@2.2.3
+- blitz@2.2.3
+
 ## 2.2.2

 ### Patch Changes
--- a/packages/codemod/package.json
+++ b/packages/codemod/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@blitzjs/codemod",
-  "version": "2.2.2",
+  "version": "2.2.3",
  "scripts": {
    "build": "unbuild",
    "dev": "watch unbuild src --wait=0.2",
@@ -25,9 +25,9 @@
    "@babel/plugin-proposal-class-properties": "7.17.12",
    "@babel/plugin-syntax-jsx": "7.17.12",
    "@babel/plugin-syntax-typescript": "7.17.12",
-    "@blitzjs/generator": "2.2.2",
+    "@blitzjs/generator": "2.2.3",
    "arg": "5.0.1",
-    "blitz": "2.2.2",
+    "blitz": "2.2.3",
    "chalk": "^4.1.0",
    "cross-spawn": "7.0.3",
    "debug": "4.3.3",
@@ -38,7 +38,7 @@
  },
  "devDependencies": {
    "@babel/preset-env": "7.12.10",
-    "@blitzjs/config": "2.2.2",
+    "@blitzjs/config": "2.2.3",
    "@types/jscodeshift": "0.11.2",
    "@types/node": "18.11.9",
    "ast-types": "0.14.2",
--- a/packages/config/CHANGELOG.md
+++ b/packages/config/CHANGELOG.md
@@ -1,5 +1,7 @@
 # @blitzjs/config

+## 2.2.3
+
 ## 2.2.2

 ## 2.2.1
--- a/packages/config/package.json
+++ b/packages/config/package.json
@@ -1,7 +1,7 @@
 {
  "name": "@blitzjs/config",
  "private": true,
-  "version": "2.2.2",
+  "version": "2.2.3",
  "license": "MIT",
  "dependencies": {
    "@typescript-eslint/eslint-plugin": "5.42.1",
--- a/packages/generator/CHANGELOG.md
+++ b/packages/generator/CHANGELOG.md
@@ -1,5 +1,7 @@
 # @blitzjs/generator

+## 2.2.3
+
 ## 2.2.2

 ## 2.2.1
--- a/packages/generator/package.json
+++ b/packages/generator/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@blitzjs/generator",
-  "version": "2.2.2",
+  "version": "2.2.3",
  "homepage": "https://blitzjs.com/",
  "repository": {
    "type": "git",
@@ -54,7 +54,7 @@
    "zod": "3.23.8"
  },
  "devDependencies": {
-    "@blitzjs/config": "2.2.2",
+    "@blitzjs/config": "2.2.3",
    "@juanm04/cpx": "2.0.1",
    "@types/babel__core": "7.1.19",
    "@types/diff": "5.0.2",
--- a/packages/pkg-template/package.json
+++ b/packages/pkg-template/package.json
@@ -25,7 +25,7 @@
    "@typescript-eslint/parser": "5.9.1"
  },
  "devDependencies": {
-    "@blitzjs/config": "2.2.2",
+    "@blitzjs/config": "2.2.3",
    "@types/react": "npm:types-react@19.0.0",
    "@types/react-dom": "npm:types-react-dom@19.0.0",
    "react": "19.0.0",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
Author	SHA1	Message	Date
Siddharth Suresh	8f5ca746c6	chore: version push	2025-03-03 14:22:57 +05:30
Siddharth Suresh	aa033af9f1	fix: Overriden custom cookies with pages router (#4427 ) * fix overriden cookies in pages router * Create stale-keys-guess.md * fix and add test * fix missing tests	2025-03-03 13:56:40 +05:30