diff --git a/lib/shared/session.js b/lib/shared/session.js
index 11731808f..4c7b881b7 100644
--- a/lib/shared/session.js
+++ b/lib/shared/session.js
@@ -48,8 +48,13 @@ export default async function sessionHandler(ctx, next) {
       await ctx.oidc.session.save(ttl);
     }
 
-    if (ctx.response.get('set-cookie')) {
-      ctx.response.get('set-cookie').forEach((cookie, index, ary) => {
+    let setCookie;
+    // eslint-disable-next-line no-cond-assign
+    if ((setCookie = ctx.response.get('set-cookie'))) {
+      if (typeof setCookie === 'string') {
+        setCookie = [setCookie];
+      }
+      setCookie.forEach((cookie, index, ary) => {
         /* eslint-disable no-param-reassign */
         if (
           !cookie.includes('expires=Thu, 01 Jan 1970')
diff --git a/test/core/basic/isscookie.test.js b/test/core/basic/isscookie.test.js
new file mode 100644
index 000000000..435da1399
--- /dev/null
+++ b/test/core/basic/isscookie.test.js
@@ -0,0 +1,23 @@
+import bootstrap from '../../test_helper.js';
+
+describe('pre-middleware setting "set-cookie" header', () => {
+  before(bootstrap(import.meta.url));
+
+  before(function () {
+    this.provider.use((ctx, next) => {
+      ctx.response.set('set-cookie', 'foo=bar;');
+      return next();
+    });
+  });
+
+  it('does not disturb the session middleware', function () {
+    const auth = new this.AuthorizationRequest({
+      response_type: 'invalid',
+      state: null,
+    });
+
+    return this.wrap({ route: '/auth', verb: 'get', auth })
+      .expect(303)
+      .expect(auth.validatePresence(['error', 'error_description']));
+  });
+});