Pass Multiple Set-Cookie headers in API in webmethods API Gateway

API Gateway 10.15

I am trying to integrate with vendor that has a token API and API X that needs the token for authentication. The token API returns authentication token in the form of 3 Set-Cookie Headers:

Set-Cookie BPMCSRF=JaJleGtiyeIceUmm170iBu; path=/
Set-Cookie UserName=115|109|111|104|97|109|109 path=/; HttpOnly
Set-Cookie .ASPXAUTH=3E9793C24B457E1C431A40B976AB; path=/; HttpOnly

I suppose to use these 3 headers to pass it to X API. From API GW, i created API for the X API and used custom extension in the request processing policy that calls the token API and copy the entire response then straight through routing to the other API, it worked for the GET methods, for the POST method, it overwrites the body that is sent to the API. So it doesn’t work in case X API is POST API.

Does anyone face this issue before and how to pass the 3 Set-Cookie Headers to an API?


Please explain how you configured the policy to pass the 3 headers to the native service.
I did quick checks in the gateway with a request transformation policy and it seems not to be able to forward 3 headers with the same name - only one out of the three is kept.

I called the token API in custom extension, so there is option to copy the whole response, i selected this option so i didn’t need to map it manually… however this option in case of POST APIs overwrite the actual body received from client… that is why this option is not working for all cases.

Alright, I see several issues here.
The Set-Cookie header is usually returned by a web server to a web browser, in order to instruct the latter to store the cookie. The web browser then sends the value previously returned in the Set-Cookie header in subsequent calls, using the Cookie header (not Set-Cookie.)
So, if your token API returns 3 Set-Cookie headers, you need to send three Cookie headers to API X.

From what you wrote, I tend to understand you’re trying to send these cookies to the API X in request body, which probably isn’t right.
If you’re making a call to an IS service in a custom extension, you should try to inject these headers directly in the IS service.

One more question: what do you pass to the token API request in order to get these cookie? Do you need to pass it some credentials coming from the API caller? Or do you pass it always the same credentials?
If your token API does not check credentials of the caller, but is just in charge of giving you credentials to call the backend, then you should probably place your custom extension in the request processing stage.

Dear Stephan,
Yes the custom extension is in the request processing stage, but i am not calling in the custom extension IS Service, I am calling endpoint directly which returns the headers in its response and I select the option of copy the entire response in order to pass the returned headers from the token endpoint as headers to API X. When i opened the tracer, the headers are passed as Cookie headers normally.

The API that returns the token takes static username and password not related to any passed inputs.

Again, this resolves the issue in case that the method of API X is GET, but when the method of the API is POST the issue is not resolved, as copying the entire response of the custom extension overwrite the request received.