Hello Bernd Hirschmann,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
Problem
I understand that you are experiencing an issue with Azure API Management removing the Set-Cookie
header when attempting to delete an authentication cookie during logout and you need a way to ensure that the Set-Cookie
header is forwarded correctly by Azure API Management to adhere to standard cookie deletion practices.
Solution
To ensure Azure API Management forwards the Set-Cookie
header correctly when deleting an authentication cookie, first you can try to use a Custom Policy.
Azure API Management allows you to use custom policies to modify request and response headers. You can create a policy to ensure the Set-Cookie
header is correctly forwarded. This is an example policy that you can add to your API Management instance:
- Open the Azure API Management instance in the Azure portal.
- Navigate to your API.
- Select the "Design" tab.
- In the Inbound processing section, click on the "Inbound processing" link.
- Add the following policy to the "Inbound" section:
<inbound>
<base />
<set-header name="Set-Cookie" exists-action="override">
<value>AuthToken=; path=/; domain=yourdomain.com; expires=Thu, 01 Jan 1970 00:00:00 GMT; max-age=0; secure; HttpOnly</value>
</set-header>
</inbound>
Replace yourdomain.com with your actual domain and adjust the other cookie attributes (path
, secure
, HttpOnly
) as needed.
Secondly.
If the policy approach doesn't work or if you prefer another method, consider having your backend service explicitly handle cookie deletion. This way, the backend service can set the Set-Cookie
header directly in the response, and Azure API Management will forward it without modification.
I don't really know the code that you familiar with but you can get the idea. This is an example Code for setting the Set-Cookie
Header in a Backend Service (e.g., using Node.js).
const express = require('express');
const app = express();
app.post('/logout', (req, res) => {
res.cookie('AuthToken', '', {
path: '/',
domain: 'yourdomain.com',
expires: new Date(0), // Set to a past date
maxAge: 0,
secure: true,
httpOnly: true
});
res.send('Logged out');
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
References
Source: Azure API Management Policies. Accessed, 6/28/2024.
Source: Set Header Policy. Accessed, 6/28/2024.
Source: HTTP Cookie Specification. Accessed, 6/28/2024.
Source: Node.js Documentation. Accessed, 6/28/2024.
Source: Comprehensive guide on managing HTTP. Accessed, 6/28/2024.
Accept Answer
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.
Best Regards,
Sina Salam