Layer 7 API Gateway: Issue with Set-Cookie header path and domain values overwriting.
search cancel

Layer 7 API Gateway: Issue with Set-Cookie header path and domain values overwriting.


Article ID: 131281


Updated On:


CA API Gateway


When configure HTTP(s) Routing properties Headers “Pass through only certain response headers - Set-Cookie”  the scope of the cookie is set to the domain and path of the gateway service 

Gateway is not passing the same value which we are getting from the backend service. Path and Domain values are overwriting. 
Turned on the log and captured the response header. Here is the sample 
Received from backend : Set-Cookie:jwt_token=aeyJ…….4UtvbqX1w; Path=/TEST; HttpOnly; 
Layer 7 converting to Set-Cookie:jwt_token=aeyJ…….4UtvbqX1w; Path=/route2; HttpOnly;



All supported versions of the API Gateway


To resolve setup the following:

Backend resource created setcookie.jsp (set cookie)

   // Create cookie jwt_token
   Cookie jwt_token = new Cookie("jwt_token", "123455787899"); 
   jwt_token.setDomain( "" );
   jwt_token.setPath( "/TEST" ); 

   // Add cookies in the response header.
   response.addCookie( jwt_token );
      <title>Setting Cookies</title>
         <h1>Setting Cookie</h1>
         <li><p><b>JWT Token:</b>
            <%= request.getParameter("jwt_token")%>


Gateway service created two context variables set them to false


HTTP(S) Route backend jsp set-cookies
Headers properties for the Route checked “Pass through only certain response headers”


Immediately after the HTTP(S) route add “Manage Cookie” assertion (NOTE for domain if you want to change uncheck “original value”  enter different domain, however if the domain is different than what the client is accessing it may be rejected by the browser 

Test 1 gateway service:

Fiddler responses:
Set-Cookie: jwt_token=123455787899;; Path=/; Expires=Thu, 25-Apr-2019 13:36:09 GMT; Max-Age=86908

Browser checked cookies address bar javascript:alert(document.cookie) because the cookie was set in and the browser accessing awt_token in not available 

Test 2: If change the Domain of the Manager Cookie Assertion to domain that is accessed by the client the jwt_token is available 



Browser cookies with jwt_token cookie:

Attached the sample policy

Attachments get_app