No, you can't set a cookie in an SSI because the SSI headers are ignored (including your set-cookie header). I think I said this. You can put "scooby-doo: where are you?" in an SSI header, and you won't see it in your output. SSI headers are ignored. And my point about MIME type is that that's a typical header (in fact, mandatory).

It has nothing at all to do with the timing of invoking the SSI. In fact, the SSI could be (and typically is) complete before the first byte has been sent to the browser. It's just that by decree, SSI headers don't matter (except a redirect, and maybe some other status values).