how apigee handles cookies ?

Google Cloud Apigee
1

Hi,

I am trying to achieve a connection in which a scenario is where a combination of Cookies and token is used for authentication at the backend.

Even if passing everything required i.e. the token and cookies in backend request it fails with 401. Can anyone help how Apigee X is handling cookies before sending to backend, does it modify or overwrite it somewhere.

{token} {Cookies}

Thanks

3 Likes
2

Hi @bablisah ,

It looks like there might be two potential issues here:

1. Using “Cookies” instead of “Cookie”: The correct header for sending cookies is Cookie (singular), not Cookies. By manually adding a Cookies header, you’re creating a custom header that the backend may not recognize. Apigee doesn’t alter or modify cookies by default unless there’s a specific policy to do so, so ensure you’re using the correct header name.

2. Using instead of : Another thing to watch out for is using Add instead of Set. The Add operation appends new values to the existing headers, which can lead to concatenation (e.g., multiple cookies or headers joined by commas). If the Cookie header already exists, Add won’t replace it but will append your new value, leading to unexpected results.

Try switching to Set, which ensures any existing Cookie header is overwritten (if you realy need to do so):

<Set> <!-- Set will replace the existing value -->
  <Headers>
    <Header name="X-Token">{flow.variable.with.token}</Header>
    <Header name="Cookie">{flow.variable.with.cookie}</Header> <!-- Use "Cookie" -->
  </Headers>
</Set>

As for Apigee, by default, it behaves like a pass-through unless policies are configured to modify the request. If you’re handling all the logic on the backend, Apigee won’t touch the headers. But if there’s any processing or logic happening at the proxy level, you need to ensure you’re using the Set operation to correctly manage your headers.

Misconfiguring headers this way can lead to parameter pollution, where multiple values are concatenated unintentionally, causing unexpected behavior in your API calls. For example, this can happen when using Add in the AssignMessage policy instead of Set.

To help prevent this, CodeSent can automatically detect when request parameters are polluted due to improper header configuration. This ensures your headers are managed correctly, keeping your proxy clean and functional.

Check out this rule here: AssignMessage Request Parameters Pollution.

Best,
Nikita

2 Likes