Layer7 API Management

 View Only
  • 1.  How can we allow an API to set a cookie?

    Posted Jan 07, 2016 10:27 PM



    What we want to achieve

    We want to allow our REST APIs to set cookies in response to a client call (i.e. use Set-Cookie with the domain of our website)


    The setup

    The API Gateway receives HTTP API calls such as https:/


    The API Gateway sends the API requests to a backend load balancer on https://myloadbalancer/v2/job for load balancing across our farm


    The backend APIs respond with a Set-Cookie header (in this example the cookie name/value is 'mycookie=123') using the original callers domain e.g.


    The problem

    However the cookie is being stripped/rejected by the API Gateway and the following message logged

    WARNING org.apache.http.client.protocol.ResponseProcessCookies: Cookie rejected: "[version: 0][name: mycookie][value: 123][domain:][path: /][expiry: Sun Sep 18 06:34:58 UTC 2015]". Illegal domain attribute "". Domain of origin: "myloadbalancer"


    It appear as though the HTTPClient is rejecting the Cookie as it is setting it for our domain (, but that does not match the URL used to send the request (i.e. to the load balancer). I cannot see how Set-Cookie will ever work!


    The question

    How can we allow backend API to set cookies on HTTP responses?



  • 2.  Re: How can we allow an API to set a cookie?

    Broadcom Employee
    Posted Jan 11, 2016 04:11 PM



    The Manage Cookie assertion is designed to allow for the cookie to manipulated by the gateway to ensure that the cookie will work on either side of the gateway. You can use the Update operation in the assertion to override cookies based on a match by criteria then uncheck the original value checkbox to set the value which you would like to change it to on the front end or back end if the cookie is being sent through to the gateway but needs to be passed to back end. For passing the cookie back and forth, you will need to ensure that the HTTP routing assertion is either sending through all headers or has the cookie header set for only certain headers.




    Stephen Hughes

    CA Technologies
    Director, CA

    Toll-Free Phone: 1.800.225.5224 ext 48392

    Outside North America: 604.235.8392

  • 3.  Re: How can we allow an API to set a cookie?
    Best Answer

    Posted Jan 11, 2016 08:27 PM

    Found the answer in Manage Cookie Assertion - CA API Gateway - 9.0 - CA Technologies Documentation


    TLDR: set context variables to 'false' for ${response.cookie.overwritePath} and ${response.cookie.overwriteDomain}


    "The Gateway may rewrite cookie attributes in order to track cookies origins or to ensure that the cookies will be sent back to the Gateway in subsequent requests. It is recommended that this automatic rewriting be maintained, but advanced users may disable the rewriting for troubleshooting purposes by setting the following context variables to 'false': ${response.cookie.overwritePath} and${response.cookie.overwriteDomain}."

  • 4.  Re: How can we allow an API to set a cookie?

    Broadcom Employee
    Posted Jan 11, 2016 08:32 PM



    i'm glad you found what you are looking for. If you need more custom work then the solution I outlined will cover that.




    Stephen Hughes

    Director, CA Support