13

I am facing a problem with spring cloud Zuul proxy. I hace two microservices configured, up and running. I have a cookie in my web browser and I am using Zuul as an API Gateway, When I hit Zuul to call my Backend, Zuul is not forwarding my cookie to my Backend, It seems that Zuul is ignoring the cookie sent and my Backend is not able to retrieve this.

Can you please help me with this issue?, I am using Spring cloud Brixton.RELEASE and spring boot 1.3.5

Regards.

Erikson Murrugarra
  • 1,379
  • 3
  • 13
  • 22

4 Answers4

13

In Spring Cloud Netflix 1.1, "Cookies" is included in the sensitive headers list and they are not passed down.

This can be manipulated by config zuul.routes.*.sensitiveHeaders.

See documentation details here under heading "Cookies and Sensitive Headers":

http://cloud.spring.io/spring-cloud-netflix/spring-cloud-netflix.html

Dan C
  • 131
  • 5
  • Thanks for reply, Let me try your suggestion. – Erikson Murrugarra Jun 15 '16 at 20:09
  • 1
    Take a look at ZuulProperties class. There are two ways to configure sensitive headers, one globally and for each route. Set-Cookie and Cookie are included by default. To enable them, you need to override this with something else. For example: zuul.sensitiveHeaders: Authorization – qza Jul 01 '16 at 08:44
  • I read through the docs above, but those docs don't exactly spell out how you "override" the defaults. I didn't automatically make the assumption that if I specified a new value for sensitiveHeaders that the defaults (Cookie,Set-Cookie,Authorization) would be unset. However I can confirm that setting the value to something different does unset the default completely. Thanks @qza for the helpful tip. – Privateer Jul 21 '16 at 22:14
2

Default Zuul sensitive headers allowing to not forward these datas are

sensitiveHeaders=Cookie,Set-Cookie,Authorization

to be able to forward cookies, you can put in your bootstrap.properties file 

sensitiveHeaders=

Or if you don't need of Authorization header

sensitiveHeaders=Authorization
Walterwhites
  • 1,287
  • 13
  • 9
1

Add sensitive headers in application.yml like this:-

routes:
service:
  path: /service/**
  sensitiveHeaders: Cookie,Set-Cookie
  url: http://localhost:9001
Tushar Wasson
  • 494
  • 5
  • 10
-3

I have solved this problem just passing the data sent in my cookie using simple http headers.

Erikson Murrugarra
  • 1,379
  • 3
  • 13
  • 22
  • 1
    Doing this with HTTP Only Headers, such as the cookies, would allow a client to spoof security checks or modify server-side cookie data. – Kieveli Apr 15 '19 at 18:57