Currently, when setting up a rack app using Cookie session, I encounter the following behavior:

• Step 1: I send the first request without any cookies. I receive a response with Set-Cookie header.
• Step 2: I send the second request with Cookie header equal to the above Set-Cookie header

In Rack 2.x: Set-Cookie is not set in the response
In Rack 3.x: Set-Cookie header is set

I checked and saw that in lib/rack/session/abstract/id.rb, set_cookie method compares new cookie value with existing one to decide whether to set Set-Cookie header. However, in lib/rack/session/cookie.rb, when encode_session_data, the encryptor injects a random IV, so cookie value is always different, even though the session value is the same.

I check RFC 6265 and it states that

If a server sends multiple responses containing Set-Cookie headers concurrently to the user agent (e.g., when communicating with the user agent over multiple sockets), these responses create a "race condition" that can lead to unpredictable behavior.

Can I confirm whether it's expected that Rack 3.x changes the behavior here?