Layer 7 API Gateway: Issue with Set-Cookie header path and domain values overwriting.

book

Article ID: 131281

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

When configure HTTP(s) Routing properties Headers “Pass through only certain response headers - Set-Cookie”  the scope of the cookie is set to the domain and path of the gateway service 

Gateway is not passing the same value which we are getting from the backend service. Path and Domain values are overwriting. 
Turned on the log and captured the response header. Here is the sample 
Received from backend : Set-Cookie:jwt_token=aeyJ…….4UtvbqX1w; Path=/TEST; HttpOnly; Domain=.myssosites.com 
Layer 7 converting to Set-Cookie:jwt_token=aeyJ…….4UtvbqX1w; Path=/route2; HttpOnly; Domain=.lvn.broadcom.net

 

Environment

Release:
Component: APIGTW

Resolution

To resolve setup the following:

Backend resource created setcookie.jsp (set cookie)

<%
   // Create cookie jwt_token
   Cookie jwt_token = new Cookie("jwt_token", "123455787899"); 
   jwt_token.setMaxAge(60*60*24); 
   jwt_token.setDomain( ".myssosites.com" );
   jwt_token.setPath( "/TEST" ); 

   // Add cookies in the response header.
   response.addCookie( jwt_token );
%>
<html>
   <head>
      <title>Setting Cookies</title>
   </head>
   
   <body>
      <center>
         <h1>Setting Cookie</h1>
      </center>
      <ul>
         <li><p><b>JWT Token:</b>
            <%= request.getParameter("jwt_token")%>
         </p></li>
      </ul>
   </body>

 
 
 

Gateway service created two context variables set them to false

response.cookie.overwriteDomain
response.cookie.overwritePath

HTTP(S) Route backend jsp set-cookies  http://lodbl509vm025.ssosites.com:8585/jsp1/setcookie.jsp
Headers properties for the Route checked “Pass through only certain response headers”

 


Immediately after the HTTP(S) route add “Manage Cookie” assertion (NOTE for domain if you want to change uncheck “original value”  enter different domain, however if the domain is different than what the client is accessing it may be rejected by the browser 


Test 1 gateway service:
http://mcqst02-l22063.lvn.broadcom.net:8080/route2

Fiddler responses:
Set-Cookie: jwt_token=123455787899; Domain=.myssosites.com; Path=/; Expires=Thu, 25-Apr-2019 13:36:09 GMT; Max-Age=86908

Browser checked cookies address bar javascript:alert(document.cookie) because the cookie was set in .myssosites.com and the browser accessing .broadcom.net awt_token in not available 

Test 2: If change the Domain of the Manager Cookie Assertion to domain that is accessed by the client the jwt_token is available 

 

 
 

Browser cookies with jwt_token cookie:

 


Attached the sample policy
 

Attachments

1558687164899000131281_sktwi1f5rjvs16f5n.png get_app
1558687163064000131281_sktwi1f5rjvs16f5m.png get_app
1558687161100000131281_sktwi1f5rjvs16f5l.png get_app
1558687158165000131281_sktwi1f5rjvs16f5k.png get_app
1558537207831route2.zip get_app