Non secure cookies are rendering with secure and httponly flag

amoghd64765494

17-08-2020

We are experiencing strange issue with the website. We set of cookies that are rendering fine on PROD without httpOnly and without secure flag. Same cookies are rendering opposite to this on Stage server.

 

We have verified everything on Akamai and Dispatcher level but could not find any difference in terms of configuration apart from the domain name. Now my suspect is that this is happening from AWS load balancer but due to lack of knowledge and access I am not able figure it out. So does anyone have an idea why this may be happening?


We don't want those cookies to be secured and httpOnly.

 

Thanks,
Amogh 

Accepted Solutions (1)

Accepted Solutions (1)

vanegi

Employee

17-08-2020

Hi @amoghd64765494.

Can you check if  "Enable Proxy/Load Balancer Connection" is checked in the Apache Felix Jetty Based HTTP Service configuration? Compare Apache Felix Jetty Based HTTP Service configuration in both prod and stage instance. In cases where there's a proxy or load balancer, the connection is often over HTTP. A X-Forwarded-Proto header can be used in this case to tell the origin server that a proxied connection is secure. To undo this behavior, if Enable Proxy/Load Balancer Connection is not checked, Jetty will not honor the XFF headers at all. Checking this box caused the secure flag to be added to Set-Cookie header through a proxied connection. 

 

Thanks!!

 

 

Answers (0)