Set-Cookie header duplicated when setting cookie maxAge in middleware and redirecting from a Server Component

[reh2ur]

Link to the code that reproduces this issue

https://github.com/reh2ur/next-set-cookie-bug

To Reproduce

1. Start the application in development (next dev).
2. Directly visit http://localhost:3000/redirect.
3. Observe the Set-Cookie response headers of the /redirect request.

Current vs. Expected behavior

Following the steps from above, I mostly observe two Set-Cookie headers in the response of /redirect, with Expires times being a second apart and therefore probably not deduped.

I would expect each cookie to be set and send only once.

This does not always happen, but it happens on production as well, and is best reproducible when restarting the dev server between tries. I assume that the middleware still needs to be compiled, which consumes more time.

Provide environment information

Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 24.2.0: Fri Dec  6 19:02:12 PST 2024; root:xnu-11215.61.5~2/RELEASE_ARM64_T6031
  Available memory (MB): 36864
  Available CPU cores: 14
Binaries:
  Node: 23.7.0
  npm: 10.9.2
  Yarn: 4.6.0
  pnpm: 10.6.2
Relevant Packages:
  next: 15.3.0-canary.26 // Latest available version is detected (15.3.0-canary.26).
  eslint-config-next: 15.1.7
  react: 19.0.0
  react-dom: 19.0.0
  typescript: 5.7.3
Next.js Config:
  output: N/A

Which area(s) are affected? (Select all that apply)

Middleware, Headers, Redirects, Cookies

Which stage(s) are affected? (Select all that apply)

next dev (local), next start (local)

Additional context

The first 15-canary version that creates duplicate cookies is v15.0.0-canary.73. Here, I can see a second Set-Cookie header but without all the other properties. In the following canaries, the behavior is changed multiple times.