![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 10%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBH%3C/text%3E%3C/svg%3E)
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,902 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Bernd Hirschmann,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
Problem
I understand that you are experiencing an issue with Azure API Management removing the Set-Cookie header when attempting to delete an authentication cookie during logout and you need a way to ensure that the Set-Cookie header is forwarded correctly by Azure API Management to adhere to standard cookie deletion practices.
Solution
To ensure Azure API Management forwards the Set-Cookie header correctly when deleting an authentication cookie, first you can try to use a Custom Policy.
Azure API Management allows you to use custom policies to modify request and response headers. You can create a policy to ensure the Set-Cookie header is correctly forwarded. This is an example policy that you can add to your API Management instance:
- Open the Azure API Management instance in the Azure portal.
- Navigate to your API.
- Select the "Design" tab.
- In the Inbound processing section, click on the "Inbound processing" link.
- Add the following policy to the "Inbound" section:
<inbound>
<base />
<set-header name="Set-Cookie" exists-action="override">
<value>AuthToken=; path=/; domain=yourdomain.com; expires=Thu, 01 Jan 1970 00:00:00 GMT; max-age=0; secure; HttpOnly</value>
</set-header>
</inbound>
Replace yourdomain.com with your actual domain and adjust the other cookie attributes (path, secure, HttpOnly) as needed.
Secondly.
If the policy approach doesn't work or if you prefer another method, consider having your backend service explicitly handle cookie deletion. This way, the backend service can set the Set-Cookie header directly in the response, and Azure API Management will forward it without modification.
I don't really know the code that you familiar with but you can get the idea. This is an example Code for setting the Set-Cookie Header in a Backend Service (e.g., using Node.js).
const express = require('express');
const app = express();
app.post('/logout', (req, res) => {
res.cookie('AuthToken', '', {
path: '/',
domain: 'yourdomain.com',
expires: new Date(0), // Set to a past date
maxAge: 0,
secure: true,
httpOnly: true
});
res.send('Logged out');
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
References
Source: Azure API Management Policies. Accessed, 6/28/2024.
Source: Set Header Policy. Accessed, 6/28/2024.
Source: HTTP Cookie Specification. Accessed, 6/28/2024.
Source: Node.js Documentation. Accessed, 6/28/2024.
Source: Comprehensive guide on managing HTTP. Accessed, 6/28/2024.
Accept Answer
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.
Best Regards,
Sina Salam