We have recently upgraded our gateways from version 10.0 CR4 to 10.1 CR2. We are seeing some behavior differences related to cookies when the gateway is making an outbound route.
It seems like the gateway is caching for a period of time cookies set by the backend API. On subsequent calls, it is sending the cookies even if the gateway is handling a new request.
If you make any change to the gateway policy (e.g. adding an audit assertion), the gateway seems to reset its cache.
We have tried multiple things including explicitly trying to remove the cookie from the request and modifying the routing assertion to not send the Cookie header. No luck. I'm attaching the policy I have been testing with if that helps.
Release : 10.1
Component : API GATEWAY
It looks like an issue from http-client 4.5.x lib upgrade. There's a difference about the context usage while processing the request. This issue can be observed only when state pool is enabled for http routing.
Old http client: https://github.com/apache/httpcomponents-client/blob/rel/v4.2.5/httpclient/src/main/java/org/apache/http/impl/client/AbstractHttpClient.java#L855
New http client: https://github.com/apache/httpcomponents-client/blob/4.5.x/httpclient/src/main/java/org/apache/http/impl/client/InternalHttpClient.java#L164.
In the new library http.cookie-store is making the difference as it remembers the cookies from the previous request/response processing. As the gateway don't want the cookie management at routing level, we could go with the cookie management disabled for http client.
Above setting over the http client builder ensures not to process the cookies from request/response messages.
The work around is to disable routing state pool:
In system.properties file set
service ssg restart
*** Special note: Disabling statePool will affect HTTP Keep alive on outbound routes. So this could cause some additional performance concerns if you are utilizing keep-alive on http routing assertions. (This does not affect keep-alive on inbound gateway connections to the http listen port).
Also a hotfix is available upon request: DE545252_Fix_ViewingSSGLogsFrom_OtherNodes.
And a support case can be opened a fix can be requested.