Expand my Community achievements bar.

SOLVED

Non secure cookies are rendering with secure and httponly flag

Avatar

Level 3
Level 3
8/17/20 9:37:50 PM

We are experiencing strange issue with the website. We set of cookies that are rendering fine on PROD without httpOnly and without secure flag. Same cookies are rendering opposite to this on Stage server.

 

We have verified everything on Akamai and Dispatcher level but could not find any difference in terms of configuration apart from the domain name. Now my suspect is that this is happening from AWS load balancer but due to lack of knowledge and access I am not able figure it out. So does anyone have an idea why this may be happening?


We don't want those cookies to be secured and httpOnly.

 

Thanks,
Amogh 

Views

763

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee
Employee
8/17/20 10:26:56 PM

Hi @amoghd64765494.

Can you check if  "Enable Proxy/Load Balancer Connection" is checked in the Apache Felix Jetty Based HTTP Service configuration? Compare Apache Felix Jetty Based HTTP Service configuration in both prod and stage instance. In cases where there's a proxy or load balancer, the connection is often over HTTP. A X-Forwarded-Proto header can be used in this case to tell the origin server that a proxied connection is secure. To undo this behavior, if Enable Proxy/Load Balancer Connection is not checked, Jetty will not honor the XFF headers at all. Checking this box caused the secure flag to be added to Set-Cookie header through a proxied connection. 

 

Thanks!!

 

 

View solution in original post

Views

754

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Employee
Employee
8/17/20 10:26:56 PM

Hi @amoghd64765494.

Can you check if  "Enable Proxy/Load Balancer Connection" is checked in the Apache Felix Jetty Based HTTP Service configuration? Compare Apache Felix Jetty Based HTTP Service configuration in both prod and stage instance. In cases where there's a proxy or load balancer, the connection is often over HTTP. A X-Forwarded-Proto header can be used in this case to tell the origin server that a proxied connection is secure. To undo this behavior, if Enable Proxy/Load Balancer Connection is not checked, Jetty will not honor the XFF headers at all. Checking this box caused the secure flag to be added to Set-Cookie header through a proxied connection. 

 

Thanks!!

 

 

Views

755

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
How dispatcher cache flush works for cached content with selector in AEM CS(Cloud Service)? Solved

Views

134

Likes

0

Replies

4
Pages are appearing white while migrating code from on-premise to cloud

Views

135

Like

1

Replies

3
Cloud server is throwing error with felix plugin

Views

98

Likes

0

Replies

1
Why are asset links breaking on sites when asset expiration dates have passed?

Views

96

Likes

0

Replies

2
Rendering AEM pages with proxy layer not loading the CSS and JS files

Views

239

Likes

0

Replies

7