Set-Cookie twice?

I was just randomly checking the headers with a curl request, and then I saw that it sends two kirby cookies, one that’s secure and httpOnly, and one that’s not.

Below is the whole output

HTTP/2 200
date: Fri, 07 Oct 2016 23:23:34 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
x-powered-by: A giant fire breathing butterfly
set-cookie: kirby_session=vmoi2l0qm9v5h4r147d8bftom1; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: kirby_session=vmoi2l0qm9v5h4r147d8bftom1; path=/; secure; HttpOnly
server: CERN httpd
alternate-protocol: 443:npn-spdy/3
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000; preload

Hm, this cookie issue has been reported before but should actually have been solved in the meantime according to GitHub issues.

Yeah, I saw that too.
Tried to clear the session folder, restarted php, still get two cookies

I’m also getting this (occasionally).
in the headers:

Set-Cookie:kirby_session=nmnjh4dgm07k8bp8qbas42ccr6; path=/; HttpOnly
Set-Cookie:kirby_session=nmnjh4dgm07k8bp8qbas42ccr6; path=/

But the kirby_session cookie ends up not being set at all.
Then this causes ‘The CSRF token was invalid’ errors for uniform.
It doesn’t seem to affect everyone, and i think is limited to http (rather than https) requests