In a user logout flow \Symfony\Component\Security\Http\EventListener\SessionLogoutListener gets triggered which invalidates the user session by calling session_regenerate_id(true) which calls \Symfony\Component\HttpFoundation\Session\Storage\Handler\AbstractSessionHandler::destroy which calls setcookie($this->sessionName, '', $params);. Calling setcookie with the second argument (the value) being an empty string signals to PHP that we want to send a Set-Cookie HTTP header to the client so that the client deletes the cookie (aka the expiry time of the cookie gets set to some time in the past) and PHP also sets the value of that cookie to deleted -> https://github.com/php/php-src/blob/php-8.1.9/ext/standard/head.c#L124

The \Symfony\Component\HttpKernel\EventListener\AbstractSessionListener class did not handle this case as \Symfony\Component\HttpKernel\EventListener\AbstractSessionListener::onKernelResponse method would call $response->headers->clearCookie() without calling the popSessionCookie method which would then add this same cookie again which would then result in two Set-Cookie headers being sent to the client for the same cookie.