0

I have a Static Web App (blabla-web-dev) linked to an Azure Function App (blabla-pub-api-dev) via Serverless API hosting. Both use custom domains; SWA uses https://dev.blabla.bla and the Function App uses https://api.dev.blabla.bla

The app uses an SSR-like architecture where pages are rendered by the Function App and returned through SWA routes (e.g., /api/pages/...).

The Function App issues short-lived session cookies like this:

Set-Cookie: auth_secret=abc123; Path=/; HttpOnly; Secure; SameSite=None

When I call the endpoint directly (https://api.dev.blabla.bla/api/debug/probe), the cookie appears in the browser as expected. However, when I call the same endpoint through SWA proxy (https://dev.blabla.bla/api/debug/probe), the response arrives without any Set-Cookie header — it’s stripped by SWA before reaching the browser.

No redirect or CORS issue occurs, and the Function logs clearly show the cookie being set.

Using python Azure Functions.

I expected the Set-Cookie header to pass through the SWA proxy unchanged since both apps share the same top-level domain (dev.blabla.bla) and SWA should act as a transparent proxy for the linked backend.

I verified the following:

  • Function App returns a 200 OK response (not 3xx).

  • Cookie attributes are valid (Secure; HttpOnly; SameSite=None).

  • CORS allows origin https://dev.blabla.bla with credentials.

  • The issue persists with and without the Domain attribute.

  • Works perfectly when called directly (outside SWA).

It seems Azure Static Web Apps are filtering or not forwarding Set-Cookie headers for linked Function backends.

staticwebapp.config.json

{
    "routes": [
    { 
        "route": "/", 
        "rewrite": "/api/pages/index" 
    },
    { 
        "route": "/en/auth/registration", 
        "rewrite": "/api/pages/auth/registration" 
    },
    { 
        "route": "/en/settings", 
        "rewrite": "/api/pages/settings"
    },     
    { 
        "route": "/api/*", 
        "allowedRoles": ["anonymous"] 
    }
    ],
    "navigationFallback": {
        "rewrite": "/index.html",
        "exclude": ["/api/*", "/styles/*", "/scripts/*", "/public/*", "/auth/*"]   
    }
}

Has anyone successfully made cookies propagate through a linked Function App? Do I need an additional configuration (headers, rewrite rules, or API Management gateway) to make SWA pass the cookie header intact?

Improve this question
Related questions
1
Cookies are not sent to client (static web app) - Azure Isolated Function
3
Authentication for an Azure Function app linked to an Azure Static Web App
0
How to refresh auth cookie in Azure Static Web App (SWA)
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.