Non secure cookies are rendering with secure and httponly flag

Avatar

Avatar
Validate 1
Level 2
amoghd64765494
Level 2

Likes

4 likes

Total Posts

36 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
Applaud 5
View profile

Avatar
Validate 1
Level 2
amoghd64765494
Level 2

Likes

4 likes

Total Posts

36 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
Applaud 5
View profile
amoghd64765494
Level 2

17-08-2020

We are experiencing strange issue with the website. We set of cookies that are rendering fine on PROD without httpOnly and without secure flag. Same cookies are rendering opposite to this on Stage server.

 

We have verified everything on Akamai and Dispatcher level but could not find any difference in terms of configuration apart from the domain name. Now my suspect is that this is happening from AWS load balancer but due to lack of knowledge and access I am not able figure it out. So does anyone have an idea why this may be happening?


We don't want those cookies to be secured and httpOnly.

 

Thanks,
Amogh 

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Give Back 5
Employee
vanegi
Employee

Likes

392 likes

Total Posts

378 posts

Correct reply

148 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile

Avatar
Give Back 5
Employee
vanegi
Employee

Likes

392 likes

Total Posts

378 posts

Correct reply

148 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile
vanegi
Employee

17-08-2020

Hi @amoghd64765494.

Can you check if  "Enable Proxy/Load Balancer Connection" is checked in the Apache Felix Jetty Based HTTP Service configuration? Compare Apache Felix Jetty Based HTTP Service configuration in both prod and stage instance. In cases where there's a proxy or load balancer, the connection is often over HTTP. A X-Forwarded-Proto header can be used in this case to tell the origin server that a proxied connection is secure. To undo this behavior, if Enable Proxy/Load Balancer Connection is not checked, Jetty will not honor the XFF headers at all. Checking this box caused the secure flag to be added to Set-Cookie header through a proxied connection. 

 

Thanks!!

 

 

Answers (0)