Make login-token cookie secure | Community
Skip to main content
A
anujk4
Level 2
March 14, 2019

Make login-token cookie secure

  • March 14, 2019
  • 3 replies
  • 11499 views

When we try to access localhost:4502, a cookie is created by the name cq-authoring-mode. Upon successful authentication a new cookie is created by the name login-token. both the cookies mentioned above are not secure. Can we do some modification in AEM that will make these cookies secure?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

3 replies

Gaurav-Behl
Gaurav-Behl
Level 10
March 14, 2019

Enable SSL on AEM to make it secure

refer -

Adobe Experience Manager Help | Using the SSL Wizard in AEM

SSL By Default

A
anujk4Author
Level 2
March 15, 2019

Hi Gaurav, thanks for your reply. I already tried what was mentioned in the link provided by you. I am getting below error. Any idea why?

Gaurav-Behl
Gaurav-Behl
Level 10
March 15, 2019

If you follow the steps exactly, it would work fine. I've it running in my local w/o any issue.

What did you specify as hostname?

If you've specified a different hostname than localhost, make sure you've an entry in /etc/hosts or hosts file of WIN

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
March 14, 2019

You can do similar like below

Update expired time for login-token cookie

https://www.tunetheweb.com/security/http-security-headers/secure-cookies/

Using Apache Http Mod_Header rewrite setcooke header of authentication response.

Add this line of code to apache configuration:

Header edit Set-Cookie ^(login-token | cq-authoring-mode)$ $1;HttpOnly;Secure

Arun Patidar
A
anujk4Author
Level 2
March 15, 2019

Hi Arun, thanks for the response. we do not have apache setup on top of author. Author is accessible on 4502 port.

Also, there is one non prod AEM instance available that has a valid CA certificate. it is accessible over https. In one of the question asked here in the forum (AEM Session Cookie with httponly and secure flag ) it is mentioned that cookies are secure by default over https. On this instance too the cookies are not secured.

Am i missing something here??

Thanks

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
March 15, 2019

Hi,

I think we overlooked into this, there is a configuration to enable secure cookie

How to enable secure cookies in AEM

But just FYI/FYK

You can try to make cookies secure using filters, you can check with cookies are not secure then make it to secure using java

aem63app-repo/DemoCookieFilter.java at master · arunpatidar02/aem63app-repo · GitHub

But If you want to make it over SSL, check below article-

Implementing SSL on AEM – OpsInventor

Arun Patidar
J
jamiec4451712
Level 3
June 8, 2020

I know this is an old question, but our team ran into it recently and found a solution that may be helpful to others.

 

I decompiled AEM's TokenUtil class and tried to find the place where the login-token cookie is set, and the secure flag is set or not based on the request's isSecure() method. If the request is secure, then the flag is set. Otherwise, it's not. So the question really becomes: how do we get the request to be marked as secure.

 

It ends up there's a few solutions here. The first is to connect over HTTPS. Obviously this works, but in cases where there's a proxy or load balancer, the connection is often over HTTP. It's pretty well understood that a X-Forwarded-Proto header can be used in this case to tell the origin server that a proxied connection was secure. However, in our case this header was being set, but the request object was still not "secure". 

 

It ends up that these headers are simply not honored all the time by Jetty. There is a flag in the Apache Felix Jetty Based HTTP Service that handles this, but it is not the obvious one, which is "Session Cookie httpOnly". This refers to the JESSIONID cookie, not the login-token cookie, and so this checkbox has no affect.

 

The true solution is to ensure that "Enable Proxy/Load Balancer Connection" is checked in the Apache Felix Jetty Based HTTP Service configuration. It seems like Jetty will not honor the XFF headers if this value is not true. Checking this box caused the secure flag to be added to our Set-Cookie header through a proxied connection.

 

tl;dr - set Enable Proxy/Load Balancer Connection to true in the Apache Felix Jetty Based HTTP Service configuration.

    AEM_Dan
    AEM_Dan
    Level 3
    December 14, 2022

    Thank you for sharing.  I looked far and wide for this solution and this is the only place I found it.  It's referenced here: https://experienceleague.adobe.com/docs/experience-cloud-kcs/kbarticles/KA-16936.html?lang=en.  But that doesn't say anything about the login-token cookie.

     

    In our case, X-Forwarded-Proto was not coming through.  It was being sent by the load balancer but our dispatcher config was not forwarding it.  So if you are explicitly listing headers to be sent, make sure the dispatcher.any /clientheaders section has X-Forwarded-Proto listed.

      Terms & ConditionsAccessibility statement

      Loading footer...