Cookie Header Not Being Passed in Request Headers

[sohitkumar]

Description

We are using the Cookie header to pass authentication tokens for our APIs:

Cookie: SAAS_COMMON_BASE_TOKEN_ID=<token>

However, when defining this in our OpenAPI spec as follows:

components:
  securitySchemes:
    cookieAuth:
      type: apiKey
      name: SAAS_COMMON_BASE_TOKEN_ID
      in: cookie

"components": { "securitySchemes": { "cookieAuth": { "type": "apiKey", "name": "SAAS_COMMON_BASE_TOKEN_ID", "in": "cookie" } }, }

The Cookie key header is not being included in the request headers when making API calls through Stoplight Elements.

Interestingly, if we change the name to something other than "Cookie", it appears correctly in the request headers. This suggests that Stoplight Elements may be blocking the Cookie header from being set in the request.

Expected Behavior

• The Cookie header should be passed correctly in request headers when defined in OpenAPI security schemes.

Actual Behavior

• The Cookie header is missing from the request headers when sent through Stoplight Elements.
• Other headers work fine if a different name is used.

Steps to Reproduce

1. Define an OpenAPI spec with cookieAuth as shown above.
2. Use Stoplight Elements to make a request to an API requiring this authentication.
3. Observe that the Cookie header is missing in the request.

Environment

• Stoplight Elements Version: [Specify your version]
• Browser: [Chrome/Firefox/etc.]
• OS: [Windows/macOS/Linux]

Possible Cause

It appears that Stoplight Elements may be intentionally blocking or filtering out the Cookie header. Could this be a security-related restriction?

Additional Context

If this is an intentional limitation, is there a recommended workaround for passing authentication tokens via Cookie headers?

---

[saper]

I think this is a duplicate of #2721