Copying headers in RaiseFault policy breaks set-cookie headers in response

Not applicable

When `<FaultResponse><Copy><Headers>` is used in a raisefault policy in order to copy response headers from the source to the error message, set-cookie headers are broken when they have an `expires` directive containing a comma (e.g. 'expires=Fri, 30-Dec-16 16:23:42 GMT;').

These are the headers sent from the target:

Set-Cookie: A=B; expires=Sun, 29-Jan-2017 17:04:37 GMT; Path=/
Set-Cookie: C=D; expires=Fri, 27-Jan-2017 17:04:37 GMT; Path=/
Set-Cookie: E=F; expires=Wed, 25-Jan-2017 17:04:37 GMT; Path=/

But when these set-cookie headers are copied as described above, they are returned in the response like this:

Set-Cookie: A=B; expires=Sun
Set-Cookie: 29-Jan-2017 17:04:37 GMT; Path=/
Set-Cookie: C=D; expires=Fri
Set-Cookie: 27-Jan-2017 17:04:37 GMT; Path=/
Set-Cookie: E=F; expires=Wed
Set-Cookie: 25-Jan-2017 17:04:37 GMT; Path=/

This seems to be related to the way the apigee platform breaks set-cookie headers as has been documented in the following posts:

https://community.apigee.com/questions/6587/modify-set-cookie-header-addchange-in-javascript.html

https://community.apigee.com/questions/1908/question-about-accessing-all-set-cookie-values-fro.html

Is there any way to work around this apigee bug?

0 3 191
3 REPLIES 3

I don't see an easy way to work around this bug. BTW, the Apigee bug ID is APIRT-2311 .

I would suggest using JS to convert Set-Cookie headers using the expires= form, to the max-age= form. But that won't work with IE browsers.

So I think it needs to be fixed in the product.

@epackwood , have you opened a ticket with Apigee Support? How important is this issue for you? Have you escalated that ticket?

@arghya das - making you aware.

We have opened a support ticket. Case #1293813

The issue is fairly important to us. Unfortunately, we're working with systems that are pretty heavily reliant on cookies, and this issue is resulting in cookie issues in our backend.

The JS fix seems like it could be a bit brittle, as we see the same issue when accessing these headers via JS. So we would need to stitch these split cookies back together, which is going to need to assume a consistent good ordering. Also, we don't know how extensively this issue may be affecting us, so it would be a lot of work to locate every affected API .

ok - The ticket number is APIRT-2311. We have a fix being reviewed now, and we are discussing how to roll it out.

Re: The JS fix - I don't think it's satisfactory at all. I agree with your assessment.