PSA: If developing addon, how to work around single set-cookie limitation for hassio ingress

samrocketman · May 10, 2025, 11:48pm

Upstream supervisor has a closed “not planned” bug report titled Ingress blocking duplicate response header names #4290 which means addons with applications with multiple set-cookie headers for sessions and authentication are not supported.

I was able to workaround with a resolution. I relied on nginx to do the heavy lifting.

Backend to client: nginx receives multiple set-cookie response headers. nginx combines all of the cookies into a “super” or unified cookie. nginx sends one cookie to client (and discards backend cookies without sending them to client).
Client to backend: nginx receives “super” cookie. nginx breaks up cookie and sends multiple cookies to backend for session management success.

I have been developing a wireguard UI addon and it maintains session with multiple cookies. You may find more details and nginx source code at nginx can fix home assistant ingress with multiple set-cookie headers · Issue #5 · samrocketman/addons-homeassistant · GitHub

Side note: I would have commented in the original reported issue this workaround, but it is locked and I do not have access to comment. If an admin or moderator could comment on my behalf in the original issue that would be great! I spent almost a week in nginx and hassio docs as well as nginx and hassio source code before I came up with this solution. I didn’t ask for help in the forum to respect time of others.

RubenNL · July 4, 2025, 2:21pm

I made 2 PRs that fixes this issue:

github.com/home-assistant/supervisor

Fix multiple set-cookie headers with addons ingress

main ← RubenNL:addons-ingress-multiple-cookies

opened 01:31PM - 04 Jul 25 UTC

RubenNL

+6 -6

## Proposed change The supervisor (and core) ingress only supported 1 hea…der with the same name. Applications frequently set multiple cookies in 1 response. This change fixes the response, and also the request. I haven't found a situation where this matters, but it's possible in the HTTP spec. ## Type of change - [ ] Dependency upgrade - [x] Bugfix (non-breaking change which fixes an issue) - [ ] New feature (which adds functionality to the supervisor) - [ ] Breaking change (fix/feature causing existing functionality to break) - [ ] Code quality improvements to existing code or addition of tests ## Additional information - This PR fixes or closes issue: fixes #4290 - This PR is related to issue: https://github.com/home-assistant/core/pull/148148 - Link to documentation pull request: - Link to cli pull request: - Link to client library pull request: ## Checklist - [x] The code change is tested and works locally. - [x] Local tests pass. **Your PR cannot be merged unless tests pass** - [x] There is no commented out code in this PR. - [x] I have followed the [development checklist][dev-checklist] - [x] The code has been formatted using Ruff (`ruff format supervisor tests`) - [ ] Tests have been added to verify that the new code works. If API endpoints or add-on configuration are added/changed: - [ ] Documentation added/updated for [developers.home-assistant.io][docs-repository] - [ ] [CLI][cli-repository] updated (if necessary) - [ ] [Client library][client-library-repository] updated (if necessary) [dev-checklist]: https://developers.home-assistant.io/docs/en/development_checklist.html [docs-repository]: https://github.com/home-assistant/developers.home-assistant [cli-repository]: https://github.com/home-assistant/cli [client-library-repository]: https://github.com/home-assistant-libs/python-supervisor-client/ ## Summary by CodeRabbit * **Refactor** * Improved handling of HTTP headers for more robust and consistent processing when accessing add-ons through ingress. No visible changes to user experience.

github.com/home-assistant/core

Fix multiple set-cookie headers with hassio ingress

dev ← RubenNL:hassio-ingress-multiple-cookies

opened 01:37PM - 04 Jul 25 UTC

RubenNL

+8 -8

## Proposed change The core (and supervisor) ingress only supported 1 heade…r with the same name. Applications frequently set multiple cookies in 1 response. This change fixes the response, and also the request. I haven't found a situation where this matters, but it's possible in the HTTP spec. ## Type of change - [ ] Dependency upgrade - [x] Bugfix (non-breaking change which fixes an issue) - [ ] New integration (thank you!) - [ ] New feature (which adds functionality to an existing integration) - [ ] Deprecation (breaking change to happen in the future) - [ ] Breaking change (fix/feature causing existing functionality to break) - [ ] Code quality improvements to existing code or addition of tests ## Additional information - This PR fixes or closes issue: fixes # - This PR is related to issue: https://github.com/home-assistant/supervisor/issues/4290 https://github.com/home-assistant/supervisor/pull/5996 - Link to documentation pull request: - Link to developer documentation pull request: - Link to frontend pull request: ## Checklist - [x] The code change is tested and works locally. - [x] Local tests pass. **Your PR cannot be merged unless tests pass** - [x] There is no commented out code in this PR. - [x] I have followed the [development checklist][dev-checklist] - [x] I have followed the [perfect PR recommendations][perfect-pr] - [x] The code has been formatted using Ruff (`ruff format homeassistant tests`) - [ ] Tests have been added to verify that the new code works. If user exposed functionality or configuration variables are added/changed: - [ ] Documentation added/updated for [www.home-assistant.io][docs-repository] If the code communicates with devices, web services, or third-party tools: - [ ] The [manifest file][manifest-docs] has all fields filled out correctly. Updated and included derived files by running: `python3 -m script.hassfest`. - [ ] New or updated dependencies have been added to `requirements_all.txt`. Updated by running `python3 -m script.gen_requirements_all`. - [ ] For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description. To help with the load of incoming pull requests: - [ ] I have reviewed two other [open pull requests][prs] in this repository. [prs]: https://github.com/home-assistant/core/pulls?q=is%3Aopen+is%3Apr+-author%3A%40me+-draft%3Atrue+-label%3Awaiting-for-upstream+sort%3Acreated-desc+review%3Anone+-status%3Afailure [dev-checklist]: https://developers.home-assistant.io/docs/development_checklist/ [manifest-docs]: https://developers.home-assistant.io/docs/creating_integration_manifest/ [quality-scale]: https://developers.home-assistant.io/docs/integration_quality_scale_index/ [docs-repository]: https://github.com/home-assistant/home-assistant.io [perfect-pr]: https://developers.home-assistant.io/docs/review-process/#creating-the-perfect-pr

After those 2 are merged and a new release is created, the workaround would no longer be needed.

samrocketman · July 4, 2025, 8:55pm

Nice it took a high level of effort on my part to figure out the workaround.

I found an old HA issue where the developers stated they wouldn’t support the use case so I didn’t consider contributing code because of that old issue.

Hopefully, it is addressed.