Enable secure cookies in AEM Cloud

Question

Hi, What would be the right approach to enable secure cookies in AEM Cloud? I've been trying by adding org.apache.felix.http.cfg.json with the values below, but that doesn't seem to work.   {
    "org.apache.felix.https.jetty.session.cookie.secure": "true",
    "org.apache.felix.proxy.load.balancer.connection.enable": "true"
}  The cookie I'm looking at specifically is the affinity cookie. Thanks!

Asutosh_Jena_ · Accepted Answer

Hi @danielkg  You can set header at the dispatcher v-host as well to set the cookie as secure. Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=Strict Thanks!

Adam100 · Answer

The official Adobe communication is as follows:

The affinity cookie is set by envoy to allocate the client a pointer into the ringhash that ensures their requests go back to the same pod where they pod exists. The cookie is a session cookie and must not have Max Age or Expires set which would make the cookie Persistent (see [1]) It is HttpOnly already. We only serve traffic over https so it is secure by default. The value of the cookie has not intrinsic value and does not give the client any insight into which hardware they are targeting as the RingHash[2] algorithm does not allow a client to manipulate the cookie to target specific pods. The algorithm only allows the client, on presentation of the value, to target the same pod. Possession of the cookie value has the same value as getting hold of a random number that has no meaning.

1 https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_the_lifetime_of_a_cookie

2 https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash

Possibly the customers do not have any control on the setup here..

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded