Set-Cookie header deduplication bug

When a WSGI application returns multiple Set-Cookie headers in a single response, only the last one is preserved. This is because response headers are collected into an Erlang map, which deduplicates keys — so multiple Set-Cookie entries collapse into one.

This breaks any application that sets more than one cookie per response (e.g. session + CSRF, or login flows that set multiple cookies).