Sometimes the upstream service insists on setting a cookie you do not want the client to keep, whether that is a session cookie during logout testing or a third party tracker during a privacy review. removeResponseCookieAction ends the negotiation on your terms: the cookie is set, then immediately expired, so the client never stores it.
removeResponseCookieAction is the cleanest way to clear a server set cookie on the client without touching the upstream service. The action rewrites the matching Set-Cookie header with a past expiration date, which causes the browser or HTTP client to drop the cookie immediately.
It is useful when:
Pair it with a hasSetCookieOnResponseFilter if you only want the action to run when the cookie is actually present.
Reproduce the logout path consistently by stripping the session cookie on every response, regardless of what the upstream returns.
rules:
- filter:
typeKind: HostFilter
pattern: app.example.com
actions:
- typeKind: RemoveResponseCookieAction
name: JSESSIONID
Useful for privacy testing. Even if the CDN insists on setting a tracker, the action makes sure the client never keeps it.
rules:
- filter:
typeKind: HostFilter
pattern: cdn.example.com
actions:
- typeKind: RemoveResponseCookieAction
name: _ga
Avoid rewriting responses that did not set the cookie in the first place by gating the action with a filter.
rules:
- filter:
typeKind: FilterCollection
operation: And
children:
- typeKind: HostFilter
pattern: api.internal.example.com
- typeKind: HasSetCookieOnResponseFilter
name: refresh_token
actions:
- typeKind: RemoveResponseCookieAction
name: refresh_token
Remove a response cookie by setting the expiration date to a past date.
Evaluation scope defines the timing where this filter will be applied.
responseHeaderReceivedFromRemote This scope occurs the moment fluxzy has done parsing the response header.
removeResponseCookieAction
The following table describes the customizable properties available for this action:
| Property | Type | Description | DefaultValue |
|---|---|---|---|
| name | string | Cookie name |
The following examples apply this action to any exchanges
Remove a cookie named JSESSIONID.
rules:
- filter:
typeKind: AnyFilter
actions:
- typeKind: RemoveResponseCookieAction
name: JSESSIONID
View definition of RemoveResponseCookieAction for .NET integration.
This action has no related action
No. The cookie store on the upstream is untouched. The action only rewrites the Set-Cookie header on the response that the proxy returns to the client.
The action sets a Set-Cookie entry with an expired date anyway, which is harmless. The client simply discards a cookie that was never there.
Add several removeResponseCookieAction entries under the same actions list. Each entry handles one cookie by name.
Functionally they are similar, but removeResponseCookieAction is purpose built and easier to read in a rule file. Use the dedicated action so the intent is clear to reviewers.