How to use APIM set-header policy to manage Set-Cookie headers

Question

I have a set of backend APIs on Azure App Services behind an instance of APIM. These use the TiPMix and x-ms-routing-name cookies to control slot swaps. Unfortunately, they set these cookies with the wrong domain name, and I'd like to rewrite the cookies using APIM. I'm also running APIM at a /api route managed by Front Door, so I might as well rewrite the cookie paths at the same time.

Ignoring the domain rewrite for now (which is just a Regex), I want to do something like this:



   @{
      var headerValue = context.Response.Headers.GetValueOrDefault("Set-Cookie", "");
      var inputCookies = headerValue.Split(',');
      var outputCookies = new List();
      foreach (var inputCookie in inputCookies) {
         outputCookies.Add(inputCookie.Replace("path=/;", "path=/api;"));
      }
      return outputCookies;
   }

However, GetValueOrDefault concatenates all the Set-Cookie headers into one, split by comma. This is bad for cookies which contain an expiry date containing a comma, so I can't string.Split to get each cookie. After rewriting, I also can't figure out how to make set-header output multiple values: returning a comma-separated string results in a CSV output in the header value, not multiple header-value pairs.

The code above doesn't work because outputCookies can't be a list.

set-header docs don't have enough detail to figure this out, so I've raised a GitHub issue on the docs explaining the same problem.

Could anyone explain how to accomplish this with some example code please?

Accepted Answer

Nathan Thanks for your patience. Please find the answers below:

Make sure that the backend API is returning the headers as multiple header values instead of comma separated values. If the backend itself returns as comma separated values (i.e. single header), it is not possible to loop through with the split.
I used set-header policy (code snippet below) in the outbound section as described in the doc and able to validate that it indeed returned as multiple header values (yes, this only applies to standardized headers such as Cookie, Set-Cookie) to the browser.


        
            Cookie1=Value1;Path=/;Expires=Wed, 21 Oct 2015 07:28:00 GMT;
            Cookie2=Value3;Path=/;Expires=Wed, 21 Oct 2015 07:28:00 GMT;
            Cookie3=Value3;Path=/;Expires=Wed, 21 Oct 2015 07:28:00 GMT;

Output:
User's image

You are right, GetValueOrDefault returns comma-separated response header values as described in the doc. Instead, you can follow the below code snippet to loop through the cookies to generate a string (comma separated values) and then assign it to Set-header. You can even use split inside the for loop based on your scenario. Note: context.Response.Headers returns IReadOnlyDictionary and hence you need to use Set-Header to override the values.


            @{
            if (context.Response.Headers["Set-Cookie"] != null)
            {
                var outputCookies = new List();
                for (var i = 0; i < context.Response.Headers["Set-Cookie"].Count(); i++)
                {
                    outputCookies.Add(context.Response.Headers["Set-Cookie"][i].Replace("Path=/;", "Path=/api;"));
                }
                return String.Join(",",outputCookies);
            }
            return "";
        }

Output:

User's image

Currently, it is not possible to set back the header ('Set-Cookie`) as multiple header values with the dynamic collection. If you are interested in this feature, please feel free to submit via https://aka.ms/apimwish and others with similar interests can upvote it too. This will help our product team prioritize the features.

I hope this helps with your questions and if I miss anything, please let me know.

If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

How to use APIM set-header policy to manage Set-Cookie headers

0 additional answers