Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Enable secure cookies in AEM Cloud

Avatar

Level 1

Hi,

 

What would be the right approach to enable secure cookies in AEM Cloud? I've been trying by adding org.apache.felix.http.cfg.json with the values below, but that doesn't seem to work. 

 

 

{
    "org.apache.felix.https.jetty.session.cookie.secure": "true",
    "org.apache.felix.proxy.load.balancer.connection.enable": "true"
}

 

 

The cookie I'm looking at specifically is the affinity cookie.

 

Thanks!

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @danielkg 

 

You can set header at the dispatcher v-host as well to set the cookie as secure.

 

Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=Strict

 

Thanks! 

View solution in original post

5 Replies

Avatar

Correct answer by
Community Advisor

Hi @danielkg 

 

You can set header at the dispatcher v-host as well to set the cookie as secure.

 

Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=Strict

 

Thanks! 

Avatar

Level 1
Thanks for the help, I tried this approach and the Set Cookie header is not being overridden by that rule in my case. Is there a specific location in the vhost file where this should be placed? I'm adding it under <VirtualHost *:80><Directory />, and have also tried under <IfModule mod_headers.c> but it doesn't seem to work.

Avatar

Level 2

The official Adobe communication is as follows:

 

The affinity cookie is set by envoy to allocate the client a pointer into the ringhash that ensures their requests go back to the same pod where they pod exists. The cookie is a session cookie and must not have Max Age or Expires set which would make the cookie Persistent (see [1]) It is HttpOnly already. We only serve traffic over https so it is secure by default. The value of the cookie has not intrinsic value and does not give the client any insight into which hardware they are targeting as the RingHash[2] algorithm does not allow a client to manipulate the cookie to target specific pods. The algorithm only allows the client, on presentation of the value, to target the same pod. Possession of the cookie value has the same value as getting hold of a random number that has no meaning.

 

1 https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_the_lifetime_of_a_cookie

 

2 https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balance...

 



Possibly the customers do not have any control on the setup here..

Avatar

Level 2

I have the same requirement from Customer. The affinity cookie has no "Secure" attribute.

 

I set "org.apache.felix.http" config as blow.

 

"org.apache.felix.https.jetty.session.cookie.secure": true

Also try to edit cookies on the dispatcher but that didn't work either.

 

Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;

 Is there anything else I could do the update "Secure" attribute affinity cookie ?

Avatar

Level 3

Hello @berkayf70599426,

Can you please let me know how you added the secure flag for the affinity cookie. I need to add the secure flag and the same site attributes for the affinity cookie for my website.

Thanks in advance.

Regards,

Bhavani Bharanidharan