When `<FaultResponse><Copy><Headers>` is used in a raisefault policy in order to copy response headers from the source to the error message, set-cookie headers are broken when they have an `expires` directive containing a comma (e.g. 'expires=Fri, 30-Dec-16 16:23:42 GMT;').
These are the headers sent from the target:
Set-Cookie: A=B; expires=Sun, 29-Jan-2017 17:04:37 GMT; Path=/ Set-Cookie: C=D; expires=Fri, 27-Jan-2017 17:04:37 GMT; Path=/ Set-Cookie: E=F; expires=Wed, 25-Jan-2017 17:04:37 GMT; Path=/
But when these set-cookie headers are copied as described above, they are returned in the response like this:
Set-Cookie: A=B; expires=Sun Set-Cookie: 29-Jan-2017 17:04:37 GMT; Path=/ Set-Cookie: C=D; expires=Fri Set-Cookie: 27-Jan-2017 17:04:37 GMT; Path=/ Set-Cookie: E=F; expires=Wed Set-Cookie: 25-Jan-2017 17:04:37 GMT; Path=/
This seems to be related to the way the apigee platform breaks set-cookie headers as has been documented in the following posts:
https://community.apigee.com/questions/6587/modify-set-cookie-header-addchange-in-javascript.html
https://community.apigee.com/questions/1908/question-about-accessing-all-set-cookie-values-fro.html
I don't see an easy way to work around this bug. BTW, the Apigee bug ID is APIRT-2311 .
I would suggest using JS to convert Set-Cookie headers using the expires= form, to the max-age= form. But that won't work with IE browsers.
So I think it needs to be fixed in the product.
@epackwood , have you opened a ticket with Apigee Support? How important is this issue for you? Have you escalated that ticket?
@arghya das - making you aware.
We have opened a support ticket. Case #1293813
The issue is fairly important to us. Unfortunately, we're working with systems that are pretty heavily reliant on cookies, and this issue is resulting in cookie issues in our backend.
The JS fix seems like it could be a bit brittle, as we see the same issue when accessing these headers via JS. So we would need to stitch these split cookies back together, which is going to need to assume a consistent good ordering. Also, we don't know how extensively this issue may be affecting us, so it would be a lot of work to locate every affected API .
ok - The ticket number is APIRT-2311. We have a fix being reviewed now, and we are discussing how to roll it out.
Re: The JS fix - I don't think it's satisfactory at all. I agree with your assessment.
User | Count |
---|---|
7 | |
2 | |
2 | |
1 | |
1 |