Hi,
What would be the right approach to enable secure cookies in AEM Cloud? I've been trying by adding org.apache.felix.http.cfg.json with the values below, but that doesn't seem to work.
{
"org.apache.felix.https.jetty.session.cookie.secure": "true",
"org.apache.felix.proxy.load.balancer.connection.enable": "true"
}
The cookie I'm looking at specifically is the affinity cookie.
Thanks!
Solved! Go to Solution.
Views
Replies
Total Likes
Hi @danielkg
You can set header at the dispatcher v-host as well to set the cookie as secure.
Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=Strict
Thanks!
Hi @danielkg
You can set header at the dispatcher v-host as well to set the cookie as secure.
Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=Strict
Thanks!
Views
Replies
Total Likes
The official Adobe communication is as follows:
The affinity cookie is set by envoy to allocate the client a pointer into the ringhash that ensures their requests go back to the same pod where they pod exists. The cookie is a session cookie and must not have Max Age or Expires set which would make the cookie Persistent (see [1]) It is HttpOnly already. We only serve traffic over https so it is secure by default. The value of the cookie has not intrinsic value and does not give the client any insight into which hardware they are targeting as the RingHash[2] algorithm does not allow a client to manipulate the cookie to target specific pods. The algorithm only allows the client, on presentation of the value, to target the same pod. Possession of the cookie value has the same value as getting hold of a random number that has no meaning.
1 https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_the_lifetime_of_a_cookie
Possibly the customers do not have any control on the setup here..
Views
Replies
Total Likes