Cookies sent to FIT from a source server are automatically passed on to the client,
unless explicitly disabled. To disable the automatic passing of cookies, use the
The cookies are accessible for information or (DOM) manipulation at
fit://request/cookies in the following format:
<cookies> <cookie name="cookieName" [ path="..." domain="..." expires="..." secure="true|false" httpOnly="true|false" ] transparent="true|false">cookieValue</cookie> <cookie name="..." [...] transparent="...">...</cookie> [...] </cookies>
By default, FIT renames and encodes the cookies that are sent downstream to include the domain and path of the source servers. This allows FIT to determine the appropriate sources for the incoming cookies in subsequent requests. This is due to the opaque URLs that FIT uses to allow aggregation of multiple sources.
The encoded cookies follow the naming scheme
__fitS__NN, where the optional
denotes secure cookies and
NN is an index starting with 0.
The value with all required information is encoded like this:
You can enable the
transparent mode for your main source in
<sources> <source host="example.com"> <cookies mode="transparent|force-transparent" /> </source> </sources>
To transfer a cookie in
transparent mode, the cookie path must be empty or
security reasons. Otherwise, the cookie is automatically passed on to the client in the
encoded mode (see above). You can force transparent cookies with a path differing from
/ by setting the cookie mode to
(This should be used together with trailing URL Marks).
FIT retains the
domain attribute of cookies it receives, if it is valid for
the request. For transparent cookies, it must be valid for the host name of the
FIT server as well. Otherwise, FIT drops the
transparent modeshould be used with caution. We recommend activating the
transparent modeonly for a single source server per site.
transparent mode is enabled, all non-encoded incoming cookies are automatically
passed on to all source servers of the current site for which
transparent mode is enabled,
since FIT cannot know which site the cookies originated from.
This is a potential security and privacy risk.
For transparent cookies to function, the
<fit-cookies/> option still has to be
To instruct a client to delete a cookie the
expires date must be set in the past
of the current UNIX timestamp. So it’s enough to set the UNIX timestamp in the
0 (or another timestamp that is in the past of the current UNIX timestamp).
<flow> ... <set-attributes in="fit://request/cookies" out="fit://request/cookies" xpath="//cookie[@name='COOKIE-NAME']" expires="0" /> ... </flow>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> ... <xsl:template match="cookie[@name='COOKIE-NAME']/@expires"> <!-- The UNIX timestamp "123456" is already in the past of the current UNIX timestamp --> <xsl:attribute name="expires">123456</xsl:attribute> </xsl:template> ... </xsl:stylesheet>