fix: prevent sending set-cookie header when cookie value is unchanged (#1556)

NongTham · NongTham · commit f6fb731ed3f0 · 2025-11-20T20:22:47.000+07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 1.4.17 - TBD
+Bug fix:
+- [#1556](https://github.com/elysiajs/elysia/issues/1556) prevent sending set-cookie header when cookie value is not modified
+
 # 1.4.16 - 13 Nov 2025
 Improvement:
 - ValidationError: add `messageValue` as an alias of `errorValue`
diff --git a/src/cookies.ts b/src/cookies.ts
@@ -142,7 +142,7 @@ export class Cookie<T> implements ElysiaCookie {
 	}
 
 	protected get setCookie() {
-		if (!(this.name in this.jar)) this.jar[this.name] = this.initial
+		if (!(this.name in this.jar)) this.jar[this.name] = { ...this.initial }
 
 		return this.jar[this.name]
 	}
@@ -156,87 +156,129 @@ export class Cookie<T> implements ElysiaCookie {
 	}
 
 	set value(value: T) {
-		this.setCookie.value = value
+		// Check if value actually changed before creating entry in jar
+		const current = this.cookie.value
+		
+		// Simple equality check
+		if (current === value) return
+		
+		// For objects, do a deep equality check
+		if (
+			typeof current === 'object' &&
+			current !== null &&
+			typeof value === 'object' &&
+			value !== null
+		) {
+			try {
+				if (JSON.stringify(current) === JSON.stringify(value)) return
+			} catch {
+				// If stringify fails, proceed with setting the value
+			}
+		}
+		
+		// Only create entry in jar if value actually changed
+		if (!(this.name in this.jar)) this.jar[this.name] = { ...this.initial }
+		this.jar[this.name].value = value
 	}
 
 	get expires() {
 		return this.cookie.expires
 	}
 
-	set expires(expires) {
-		this.setCookie.expires = expires
+	set expires(expires: Date | undefined) {
+		if (this.cookie.expires === expires) return
+		if (!(this.name in this.jar)) this.jar[this.name] = { ...this.initial }
+		this.jar[this.name].expires = expires
 	}
 
 	get maxAge() {
 		return this.cookie.maxAge
 	}
 
-	set maxAge(maxAge) {
-		this.setCookie.maxAge = maxAge
+	set maxAge(maxAge: number | undefined) {
+		if (this.cookie.maxAge === maxAge) return
+		if (!(this.name in this.jar)) this.jar[this.name] = { ...this.initial }
+		this.jar[this.name].maxAge = maxAge
 	}
 
 	get domain() {
 		return this.cookie.domain
 	}
 
-	set domain(domain) {
-		this.setCookie.domain = domain
+	set domain(domain: string | undefined) {
+		if (this.cookie.domain === domain) return
+		if (!(this.name in this.jar)) this.jar[this.name] = { ...this.initial }
+		this.jar[this.name].domain = domain
 	}
 
 	get path() {
 		return this.cookie.path
 	}
 
-	set path(path) {
-		this.setCookie.path = path
+	set path(path: string | undefined) {
+		if (this.cookie.path === path) return
+		if (!(this.name in this.jar)) this.jar[this.name] = { ...this.initial }
+		this.jar[this.name].path = path
 	}
 
 	get secure() {
 		return this.cookie.secure
 	}
 
-	set secure(secure) {
-		this.setCookie.secure = secure
+	set secure(secure: boolean | undefined) {
+		if (this.cookie.secure === secure) return
+		if (!(this.name in this.jar)) this.jar[this.name] = { ...this.initial }
+		this.jar[this.name].secure = secure
 	}
 
 	get httpOnly() {
 		return this.cookie.httpOnly
 	}
 
-	set httpOnly(httpOnly) {
-		this.setCookie.httpOnly = httpOnly
+	set httpOnly(httpOnly: boolean | undefined) {
+		if (this.cookie.httpOnly === httpOnly) return
+		if (!(this.name in this.jar)) this.jar[this.name] = { ...this.initial }
+		this.jar[this.name].httpOnly = httpOnly
 	}
 
 	get sameSite() {
 		return this.cookie.sameSite
 	}
 
-	set sameSite(sameSite) {
-		this.setCookie.sameSite = sameSite
+	set sameSite(sameSite: true | false | 'lax' | 'strict' | 'none' | undefined) {
+		if (this.cookie.sameSite === sameSite) return
+		if (!(this.name in this.jar)) this.jar[this.name] = { ...this.initial }
+		this.jar[this.name].sameSite = sameSite
 	}
 
 	get priority() {
 		return this.cookie.priority
 	}
 
-	set priority(priority) {
-		this.setCookie.priority = priority
+	set priority(priority: 'low' | 'medium' | 'high' | undefined) {
+		if (this.cookie.priority === priority) return
+		if (!(this.name in this.jar)) this.jar[this.name] = { ...this.initial }
+		this.jar[this.name].priority = priority
 	}
 
 	get partitioned() {
 		return this.cookie.partitioned
 	}
 
-	set partitioned(partitioned) {
-		this.setCookie.partitioned = partitioned
+	set partitioned(partitioned: boolean | undefined) {
+		if (this.cookie.partitioned === partitioned) return
+		if (!(this.name in this.jar)) this.jar[this.name] = { ...this.initial }
+		this.jar[this.name].partitioned = partitioned
 	}
 
 	get secrets() {
 		return this.cookie.secrets
 	}
 
-	set secrets(secrets) {
-		this.setCookie.secrets = secrets
+	set secrets(secrets: string | string[] | undefined) {
+		if (this.cookie.secrets === secrets) return
+		if (!(this.name in this.jar)) this.jar[this.name] = { ...this.initial }
+		this.jar[this.name].secrets = secrets
 	}
 
 	update(config: Updater<Partial<ElysiaCookie>>) {
diff --git a/test/cookie/unchanged.test.ts b/test/cookie/unchanged.test.ts
@@ -0,0 +1,109 @@
+import { describe, it, expect } from 'bun:test'
+import { Elysia, t } from '../../src'
+
+describe('Cookie - Unchanged Values', () => {
+	it('should not send set-cookie header when cookie is only read', async () => {
+		const app = new Elysia()
+			.guard({
+				cookie: t.Cookie({
+					value: t.Optional(
+						t.Object({
+							a: t.String(),
+							b: t.String()
+						})
+					)
+				})
+			})
+			.get('/cookie', ({ cookie: { value } }) => value.value)
+			.post('/cookie', ({ cookie: { value } }) => {
+				value.value = { a: '1', b: '2' }
+				return 'ok'
+			})
+
+		// POST request should set cookie
+		const postResponse = await app.handle(
+			new Request('http://localhost/cookie', {
+				method: 'POST'
+			})
+		)
+
+		const setCookieHeaders = postResponse.headers.getAll('set-cookie')
+		expect(setCookieHeaders.length).toBeGreaterThan(0)
+
+		// GET request should NOT set cookie (only reading)
+		const getResponse = await app.handle(
+			new Request('http://localhost/cookie', {
+				method: 'GET',
+				headers: {
+					cookie: setCookieHeaders[0].split(';')[0]
+				}
+			})
+		)
+
+		const getSetCookieHeaders = getResponse.headers.getAll('set-cookie')
+		expect(getSetCookieHeaders.length).toBe(0)
+	})
+
+	it('should not send set-cookie header when cookie value is accessed but not modified', async () => {
+		const app = new Elysia()
+			.get('/read', ({ cookie: { session } }) => {
+				// Just reading the value
+				const val = session.value
+				return { read: val }
+			})
+			.get('/write', ({ cookie: { session } }) => {
+				// Writing the value
+				session.value = 'test'
+				return { written: true }
+			})
+
+		// Read endpoint should not set cookie
+		const readResponse = await app.handle(
+			new Request('http://localhost/read')
+		)
+		expect(readResponse.headers.getAll('set-cookie').length).toBe(0)
+
+		// Write endpoint should set cookie
+		const writeResponse = await app.handle(
+			new Request('http://localhost/write')
+		)
+		expect(
+			writeResponse.headers.getAll('set-cookie').length
+		).toBeGreaterThan(0)
+	})
+
+	it('should not send set-cookie header when setting same value', async () => {
+		const app = new Elysia().get('/same', ({ cookie: { session } }) => {
+			// Setting the same value that came from request
+			session.value = 'existing'
+			return 'ok'
+		})
+
+		const response = await app.handle(
+			new Request('http://localhost/same', {
+				headers: {
+					cookie: 'session=existing'
+				}
+			})
+		)
+
+		expect(response.headers.getAll('set-cookie').length).toBe(0)
+	})
+
+	it('should send set-cookie header when value actually changes', async () => {
+		const app = new Elysia().get('/change', ({ cookie: { session } }) => {
+			session.value = 'new-value'
+			return 'ok'
+		})
+
+		const response = await app.handle(
+			new Request('http://localhost/change', {
+				headers: {
+					cookie: 'session=old-value'
+				}
+			})
+		)
+
+		expect(response.headers.getAll('set-cookie').length).toBeGreaterThan(0)
+	})
+})
