Expand my Community achievements bar.

SOLVED

Non secure cookies are rendering with secure and httponly flag

Avatar

Level 3
Level 3
8/17/20 9:37:50 PM

We are experiencing strange issue with the website. We set of cookies that are rendering fine on PROD without httpOnly and without secure flag. Same cookies are rendering opposite to this on Stage server.

 

We have verified everything on Akamai and Dispatcher level but could not find any difference in terms of configuration apart from the domain name. Now my suspect is that this is happening from AWS load balancer but due to lack of knowledge and access I am not able figure it out. So does anyone have an idea why this may be happening?


We don't want those cookies to be secured and httpOnly.

 

Thanks,
Amogh 

Views

564

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee
Employee
8/17/20 10:26:56 PM

Hi @amoghd64765494.

Can you check if  "Enable Proxy/Load Balancer Connection" is checked in the Apache Felix Jetty Based HTTP Service configuration? Compare Apache Felix Jetty Based HTTP Service configuration in both prod and stage instance. In cases where there's a proxy or load balancer, the connection is often over HTTP. A X-Forwarded-Proto header can be used in this case to tell the origin server that a proxied connection is secure. To undo this behavior, if Enable Proxy/Load Balancer Connection is not checked, Jetty will not honor the XFF headers at all. Checking this box caused the secure flag to be added to Set-Cookie header through a proxied connection. 

 

Thanks!!

 

 

View solution in original post

Views

555

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Employee
Employee
8/17/20 10:26:56 PM

Hi @amoghd64765494.

Can you check if  "Enable Proxy/Load Balancer Connection" is checked in the Apache Felix Jetty Based HTTP Service configuration? Compare Apache Felix Jetty Based HTTP Service configuration in both prod and stage instance. In cases where there's a proxy or load balancer, the connection is often over HTTP. A X-Forwarded-Proto header can be used in this case to tell the origin server that a proxied connection is secure. To undo this behavior, if Enable Proxy/Load Balancer Connection is not checked, Jetty will not honor the XFF headers at all. Checking this box caused the secure flag to be added to Set-Cookie header through a proxied connection. 

 

Thanks!!

 

 

Views

556

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply