I find this issue a little bit confusing, but I'll try my best to explain.

For some context, we have a CORS policy for the proxy (it is set like in the doc https://docs.apigee.com/api-platform/develop/adding-cors-support-api-proxy). Also, the API uses a couple of cookies to create an user session.

So the devs are saying the following: when they test the api requests in a browser with CORS disabled, it works fine. The cookies are sent, set in the browser and the session works fine (we changed the cookies' domain to match the Apigee's domain).

But in browsers with CORS, the cookies are not being set.

I'm not sure if Apigee is even related here, but maybe someone has some idea.

I guess my questions are: the AM CORS policy wouldn't interfere with the AM policy that set's the cookie, right? Is there a limit or something like that for AMs policies?

Could it be that the problem is still the cookie's domain? Also, it was suggested to customize the domain (https://docs.apigee.com/api-platform/publish/portal/custom-domain). Could that solve it?

Anyway, any insight is appreciated. Thank you.