How to delete a cookie? APIM does not forward expired cookies

Bernd Hirschmann 6 Reputation points

We are using cookies for authentication. When a user logs in, we set a cookie containing an auth token. This works fine with APIM.

But when a user logs out, we want to delete the auth cookie. According to the HTTP specification, deleting a cookie is done by setting max-age to 0 and expires to a date value in the past. But when we do this, APIM removes the Set-Cookie header from our response.

My workaround is to set max-age and expires to 5 seconds in the future, but this is a very hacky solution.

What can I do to fix this and make APIM to forward the Set-Cookie header correctly?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,930 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sina Salam 6,966 Reputation points

    Hello Bernd Hirschmann,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.


    I understand that you are experiencing an issue with Azure API Management removing the Set-Cookie header when attempting to delete an authentication cookie during logout and you need a way to ensure that the Set-Cookie header is forwarded correctly by Azure API Management to adhere to standard cookie deletion practices.


    To ensure Azure API Management forwards the Set-Cookie header correctly when deleting an authentication cookie, first you can try to use a Custom Policy.

    Azure API Management allows you to use custom policies to modify request and response headers. You can create a policy to ensure the Set-Cookie header is correctly forwarded. This is an example policy that you can add to your API Management instance:

    1. Open the Azure API Management instance in the Azure portal.
    2. Navigate to your API.
    3. Select the "Design" tab.
    4. In the Inbound processing section, click on the "Inbound processing" link.
    5. Add the following policy to the "Inbound" section:
        <base />
        <set-header name="Set-Cookie" exists-action="override">
            <value>AuthToken=; path=/;; expires=Thu, 01 Jan 1970 00:00:00 GMT; max-age=0; secure; HttpOnly</value>

    Replace with your actual domain and adjust the other cookie attributes (path, secure, HttpOnly) as needed.


    If the policy approach doesn't work or if you prefer another method, consider having your backend service explicitly handle cookie deletion. This way, the backend service can set the Set-Cookie header directly in the response, and Azure API Management will forward it without modification.

    I don't really know the code that you familiar with but you can get the idea. This is an example Code for setting the Set-Cookie Header in a Backend Service (e.g., using Node.js).

    const express = require('express');
    const app = express();'/logout', (req, res) => {
        res.cookie('AuthToken', '', {
            path: '/',
            domain: '',
            expires: new Date(0), // Set to a past date
            maxAge: 0,
            secure: true,
            httpOnly: true
        res.send('Logged out');
    app.listen(3000, () => {
        console.log('Server running on port 3000');


    Source: Azure API Management Policies. Accessed, 6/28/2024.

    Source: Set Header Policy. Accessed, 6/28/2024.

    Source: HTTP Cookie Specification. Accessed, 6/28/2024.

    Source: Node.js Documentation. Accessed, 6/28/2024.

    Source: Comprehensive guide on managing HTTP. Accessed, 6/28/2024.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam