Spring Cloud Zuul does not forward cookies
Solution 1
I have solved this problem just passing the data sent in my cookie using simple http headers.
Solution 2
In Spring Cloud Netflix 1.1, "Cookies" is included in the sensitive headers list and they are not passed down.
This can be manipulated by config zuul.routes.*.sensitiveHeaders.
See documentation details here under heading "Cookies and Sensitive Headers":
http://cloud.spring.io/spring-cloud-netflix/spring-cloud-netflix.html
Solution 3
Default Zuul sensitive headers allowing to not forward these datas are
sensitiveHeaders=Cookie,Set-Cookie,Authorization
to be able to forward cookies, you can put in your bootstrap.properties file
sensitiveHeaders=
Or if you don't need of Authorization header
sensitiveHeaders=Authorization
Solution 4
Add sensitive headers in application.yml like this:-
routes:
service:
path: /service/**
sensitiveHeaders: Cookie,Set-Cookie
url: http://localhost:9001
![Erikson Murrugarra](https://i.stack.imgur.com/tFS4a.jpg?s=256&g=1)
Comments
-
Erikson Murrugarra about 2 years
I am facing a problem with spring cloud Zuul proxy. I hace two microservices configured, up and running. I have a cookie in my web browser and I am using Zuul as an API Gateway, When I hit Zuul to call my Backend, Zuul is not forwarding my cookie to my Backend, It seems that Zuul is ignoring the cookie sent and my Backend is not able to retrieve this.
Can you please help me with this issue?, I am using Spring cloud Brixton.RELEASE and spring boot 1.3.5
Regards.
-
Erikson Murrugarra about 8 yearsThanks for reply, Let me try your suggestion.
-
qza almost 8 yearsTake a look at ZuulProperties class. There are two ways to configure sensitive headers, one globally and for each route. Set-Cookie and Cookie are included by default. To enable them, you need to override this with something else. For example: zuul.sensitiveHeaders: Authorization
-
Privateer almost 8 yearsI read through the docs above, but those docs don't exactly spell out how you "override" the defaults. I didn't automatically make the assumption that if I specified a new value for sensitiveHeaders that the defaults (Cookie,Set-Cookie,Authorization) would be unset. However I can confirm that setting the value to something different does unset the default completely. Thanks @qza for the helpful tip.
-
Kieveli about 5 yearsDoing this with HTTP Only Headers, such as the cookies, would allow a client to spoof security checks or modify server-side cookie data.