supertokens · porcellus · Jun 19, 2025 · Jun 17, 2025 · Jun 17, 2025 · Jun 18, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [20.1.7] - 2025-06-17
+
+-   Refactors internal logic of parsing cookies to check accessToken and optimizes it to avoid parsing unrelated cookies.
+
 ## [20.1.6] - 2024-11-26
 
 -   Fixes an issue where `removeDevice` API allowed removing verifiedTOTP devices without the user completing MFA.

diff --git a/lib/build/recipe/session/cookieAndHeaders.js b/lib/build/recipe/session/cookieAndHeaders.js
@@ -242,26 +242,28 @@ function hasMultipleCookiesForTokenType(req, tokenType) {
     if (cookieString === undefined) {
         return false;
     }
-    const cookies = parseCookieStringFromRequestHeaderAllowingDuplicates(cookieString);
+    const cookieNames = getCookieNamesFromRequestHeaderAllowingDuplicates(cookieString);
     const cookieName = getCookieNameFromTokenType(tokenType);
-    return cookies[cookieName] !== undefined && cookies[cookieName].length > 1;
+    return cookieNames.filter((name) => name === cookieName).length > 1;
 }
 exports.hasMultipleCookiesForTokenType = hasMultipleCookiesForTokenType;
 // This function is required because cookies library (and most of the popular libraries in npm)
 // does not support parsing multiple cookies with the same name.
-function parseCookieStringFromRequestHeaderAllowingDuplicates(cookieString) {
-    const cookies = {};
+function getCookieNamesFromRequestHeaderAllowingDuplicates(cookieString) {
+    const cookieNames = [];
     const cookiePairs = cookieString.split(";");
     for (const cookiePair of cookiePairs) {
-        const [name, value] = cookiePair
-            .trim()
-            .split("=")
-            .map((part) => decodeURIComponent(part));
-        if (cookies.hasOwnProperty(name)) {
-            cookies[name].push(value);
-        } else {
-            cookies[name] = [value];
+        const [name, _] = cookiePair.trim().split("=");
+        // Try to decode the name or fallback to the original name
+        let decodedName = name;
+        try {
+            decodedName = decodeURIComponent(name);
+        } catch (e) {
+            logger_1.logDebugMessage(
+                `getCookieNamesFromRequestHeaderAllowingDuplicates: Error decoding cookie name: ${name}`
+            );
         }
+        cookieNames.push(decodedName);
     }
-    return cookies;
+    return cookieNames;
 }
diff --git a/lib/build/version.d.ts b/lib/build/version.d.ts
diff --git a/lib/build/version.js b/lib/build/version.js
diff --git a/lib/ts/recipe/session/cookieAndHeaders.ts b/lib/ts/recipe/session/cookieAndHeaders.ts
@@ -290,30 +290,31 @@ export function hasMultipleCookiesForTokenType(req: BaseRequest, tokenType: Toke
         return false;
     }
 
-    const cookies = parseCookieStringFromRequestHeaderAllowingDuplicates(cookieString);
+    const cookieNames = getCookieNamesFromRequestHeaderAllowingDuplicates(cookieString);
     const cookieName = getCookieNameFromTokenType(tokenType);
-    return cookies[cookieName] !== undefined && cookies[cookieName].length > 1;
+    return cookieNames.filter((name) => name === cookieName).length > 1;
 }
 
 // This function is required because cookies library (and most of the popular libraries in npm)
 // does not support parsing multiple cookies with the same name.
-function parseCookieStringFromRequestHeaderAllowingDuplicates(cookieString: string): Record<string, string[]> {
-    const cookies: Record<string, string[]> = {};
+function getCookieNamesFromRequestHeaderAllowingDuplicates(cookieString: string): string[] {
+    const cookieNames: string[] = [];
 
     const cookiePairs = cookieString.split(";");
 
     for (const cookiePair of cookiePairs) {
-        const [name, value] = cookiePair
-            .trim()
-            .split("=")
-            .map((part) => decodeURIComponent(part));
-
-        if (cookies.hasOwnProperty(name)) {
-            cookies[name].push(value);
-        } else {
-            cookies[name] = [value];
+        const [name, _] = cookiePair.trim().split("=");
+
+        // Try to decode the name or fallback to the original name
+        let decodedName = name;
+        try {
+            decodedName = decodeURIComponent(name);
+        } catch (e) {
+            logDebugMessage(`getCookieNamesFromRequestHeaderAllowingDuplicates: Error decoding cookie name: ${name}`);
         }
+
+        cookieNames.push(decodedName);
     }
 
-    return cookies;
+    return cookieNames;
 }
diff --git a/lib/ts/version.ts b/lib/ts/version.ts
@@ -12,7 +12,7 @@
  * License for the specific language governing permissions and limitations
  * under the License.
  */
-export const version = "20.1.6";
+export const version = "20.1.7";
 
 export const cdiSupported = ["5.1"];
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "supertokens-node",
-    "version": "20.1.6",
+    "version": "20.1.7",
     "description": "NodeJS driver for SuperTokens core",
     "main": "index.js",
     "scripts": {