AnsweredAssumed Answered

How can we allow an API to set a cookie?

Question asked by JamesSEEK on Jan 8, 2016
Latest reply on Jan 12, 2016 by Stephen_Hughes

Hi,

 

What we want to achieve

We want to allow our REST APIs to set cookies in response to a client call (i.e. use Set-Cookie with the domain of our website)

 

The setup

The API Gateway receives HTTP API calls such as https:/seek.com.au/v2/job

 

The API Gateway sends the API requests to a backend load balancer on https://myloadbalancer/v2/job for load balancing across our farm

 

The backend APIs respond with a Set-Cookie header (in this example the cookie name/value is 'mycookie=123') using the original callers domain e.g. seek.com.au

 

The problem

However the cookie is being stripped/rejected by the API Gateway and the following message logged

WARNING org.apache.http.client.protocol.ResponseProcessCookies: Cookie rejected: "[version: 0][name: mycookie][value: 123][domain: seek.com.au][path: /][expiry: Sun Sep 18 06:34:58 UTC 2015]". Illegal domain attribute "seek.com.au". Domain of origin: "myloadbalancer"

 

It appear as though the HTTPClient is rejecting the Cookie as it is setting it for our domain (seek.com.au), but that does not match the URL used to send the request (i.e. to the load balancer). I cannot see how Set-Cookie will ever work!

 

The question

How can we allow backend API to set cookies on HTTP responses?

 

James

Outcomes