HTTP spec allows for repeated headers in requests and responses.
https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
As far as generating responses go, there's the alternative of combining them as a comma separated list. Payload is doing neither and doing something like setting Set-Cookie header twice only uses one of those values. On second look, https://www.rfc-editor.org/rfc/rfc6265#page-6 says that Set-Cookie headers shouldn't do that.
I didn't check how Payload does request parsing but I'd expect it to discard headers on that end as well.
HTTP spec allows for repeated headers in requests and responses.
https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
As far as generating responses go, there's the alternative of combining them as a comma separated list. Payload is doing neither and doing something like settingOn second look, https://www.rfc-editor.org/rfc/rfc6265#page-6 says thatSet-Cookieheader twice only uses one of those values.Set-Cookieheaders shouldn't do that.I didn't check how Payload does request parsing but I'd expect it to discard headers on that end as well.