Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > Getting Started >

Webhook cookie

Started by jn Casassus -   in Getting Started

Is it possible to relax the rule with the no cookie in the header when validating the webhook ?

We introduced that requirement to ensure high levels of security, and we don't currently have any plans to relax that rule. Is it causing you difficulty with your integration, and if so in what ways?

Nick Green (Xero Staff)  

I try to use Salesforce as a receiving point and there is a cookie with all webservice reply that I can't remove.

jn Casassus  


I've been speaking to some internal Salesforce experts and we haven't seen this problem ourselves. I haven't tried that myself, but I would think that if Salesforce is hosting your code then there is a way to clear all cookies from the response. What have you done to try clearing the cookies?

Nick Green (Xero Staff)  

There is no cookies from the web service code, the cookie is added by the platform. If you've checked with your internal experts, I'll like to know the way of removing the platform cookie. Perhaps you can supply a sample like the C# one ?

jn Casassus  

Hi there,

I am still trying to find a more concrete answer for you regarding this. Are you using built in Salesforce functionality to consume the webhooks or are you writing custom code for this?

Steven McDonald (Xero Staff)  

To have a webservice public, you need to have a site (In setup, site) and to create a class that will expose the service. You need to give the site permission to use that class. You'll obtain a public UTL like the following


In the class, you need to create a post method that return 200 or 401 depend on the checking of signature.

You can check that the service is working by using tools like postman, in that case I can see that the header contain a cookie named BrowserId and it's not part of the class, it's something that is automatically added by the platform that can't be disabled as far as I can see. It's the reason of my question if the cookie policy can be relaxed.

jn Casassus  

Hi, thanks for writing back and sorry for the delay in response.

If you're running custom code (is this a java servlet?) then you should be able to do something like this:

Cookie cookie = new Cookie("BrowserId", "");

In theory that should remove the cookie. Could you please try this and see if it removes the cookie from the response?

Nick Green (Xero Staff)  

Salesforce webservice are not based on java, it's based on apex.
In my previous comment, I've explained the logic behind it.
In the webservice class, it's the part that I can control, there is no cookies at all. Salesforce platform is adding the cookie and it can't be removed as far as I know.

Could you check with your Salesforce expert on the method that they have used to remove that cookie ?

jn Casassus  

Hi Xero experts,

Anybody here who found the solution for salesforce cookie problem. Or any code sample from xero which help us out.
I'm continuously getting error 'Response contained a cookie'.

Naresh Yadav  

Haven't got a proper answer since December, the cookie is not removable from Salesforce and there is no way to relax he rules.
The only option I've used is to create a hosted middle man platform between Salesforce and Xero.

jn Casassus  

Is there any update here? I'm in the same situation!

Timothy Gentet-O'Brien  

Hi everyone,

Apologies for the delay, the good news is that we've changed things around with regards to cookies. Could I ask you to test your webhook integrations again please and see if this has helped you?

Thank you

Steven McDonald (Xero Staff)  

I'll give it a try tomorrow, if the cookie rule is now relaxed, it should work.
Thanks for the news.

jn Casassus  

It look far much better now. The verification / validation steps have pass successfully.

jn Casassus  

I can't get the encryption working... would one of you mind double checking and calling me an idiot if I have made a stupid mistake...

RestContext.request.headers.get('x-xero-signature') == EncodingUtil.base64Encode(Crypto.generateMac(

Timothy Gentet-O'Brien  

If Label.Xero_WebHook_Key is the key in clear, I think that you need to use a Blob.valueOf

EncodingUtil.base64Encode(Crypto.generateMac('hmacSHA256', Blob.valueOf(RestContext.request.requestBody.ToString()), Blob.valueOf(Label.Xero_WebHook_Key))) == RestContext.request.headers.get('x-xero-signature')

jn Casassus