How to retain the browser Cookie header when forwarding requests through the Post-Function plugin

Uses: Kong Gateway
TL;DR

How can I ensure that a request forwarded through a Kong Gateway Post-Function plugin retains the cookie passed from the browser?

The Cookie header isn’t propagated to the upstream service automatically. Use a Pre-Function plugin to capture it into kong.ctx.shared, then a Post-Function plugin to set it on the upstream request.

Problem

When a request is forwarded through a post-function plugin, the Cookie header passed from the browser is not retained, causing authorization errors on the upstream service.

Cause

The request handling does not propagate the Cookie header to the upstream service.

Solution

Use a Pre-Function plugin and a Post-Function plugin together to capture and forward the Cookie header.

  1. Use the Pre-Function plugin to store the Cookie in a shared context (kong.ctx.shared).

    Capture the Cookie header from the incoming request and store it in the shared context. This makes the Cookie available across different phases of request processing.

    kong.ctx.shared.cookie = kong.request.get_header("Cookie")

    Or, to capture a specific cookie by name instead of the entire header:

    kong.ctx.shared.session_cookie = ngx.var.cookie_session
  2. Retrieve the Cookie from the shared context in the Post-Function plugin and set it as a header on the upstream request.

    In the Post-Function plugin, retrieve the Cookie from the shared context and set it as a header in the request being forwarded to the upstream service.

    kong.service.request.set_header("Cookie", kong.ctx.shared.cookie)

This approach ensures that the Cookie passed from the browser is retained and forwarded correctly through the Post-Function plugin, allowing the upstream service to authenticate and authorize the request.

Because kong.ctx.shared is scoped to the current request, cookies from concurrent requests are handled without interference.

Warning: This code snippet is a basic example and requires review before you implement it in any environment. Do not use this code as-is; review and test this code thoroughly before using it in any environment. Depending on your requirements, you may need to add error handling or additional logic.

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!