This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

CORS blocking cookies being set on browser?

Posted on 03-28-2022 01:15 PM
may
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I find this issue a little bit confusing, but I'll try my best to explain.

For some context, we have a CORS policy for the proxy (it is set like in the doc https://docs.apigee.com/api-platform/develop/adding-cors-support-api-proxy). Also, the API uses a couple of cookies to create an user session.

So the devs are saying the following: when they test the api requests in a browser with CORS disabled, it works fine. The cookies are sent, set in the browser and the session works fine (we changed the cookies' domain to match the Apigee's domain).

But in browsers with CORS, the cookies are not being set.

I'm not sure if Apigee is even related here, but maybe someone has some idea.

I guess my questions are: the AM CORS policy wouldn't interfere with the AM policy that set's the cookie, right? Is there a limit or something like that for AMs policies?

Could it be that the problem is still the cookie's domain? Also, it was suggested to customize the domain (https://docs.apigee.com/api-platform/publish/portal/custom-domain). Could that solve it?

 

Anyway, any insight is appreciated. Thank you.

0 2 690
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dknezic
Staff
Reply posted on --/--/---- --:-- AM

I'm not sure on the root cause of your issue but I'd suggest using the Apigee trace and browser's development tools - network view to debug what's happening between the browser and Apigee.

Regarding the domain of your Apigee APIs, the link you have provided for customizing the domain is for the developer portal not your actual APIs. If you're using Apigee Edge for cloud (saas), you want to follow this to update your virtual hosts

https://docs.apigee.com/api-platform/fundamentals/configuring-virtual-hosts-cloud

Posted on --/--/---- --:-- AM
gonzalezruben
Staff
Reply posted on --/--/---- --:-- AM

If would be useful if you could share what you're seeing on a debug session for both scenarios. Also, the browser dev tools (console, etc.) should give you clues about what's missing. Make sure that you're setting the following headers:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: ALLOWED CORS DOMAINS HERE
Access-Control-Allow-Headers: INCLUDE YOUR AUTH HEADERS HERE

 

Finally, If you're using Apigee X or Apigee Hybrid, then you should leverage the CORS policy instead.

Top Solution Authors
View all