Reputation: 41
SECURE flag not appearing for JSESSIONID cookie
Application is deployed on AWS and serves on port 80 and ELB forwards that 80 to 443. Spring security is used for session which creates cookie with secure flag set. When I hit the application host name I could see that secure flag is set as shown below.
curl -I target_hostname
Set-Cookie: JSESSIONID=XXXXXXXX; Path=/; Secure; HttpOnly
But when i directly hit EC2 IP (using curl) I could see that secure flag is not set.
curl -I target_ec2_ip
Set-Cookie: JSESSIONID=XXXXXXXX; Path=/; HttpOnly
Why it is happening can anyone explain?
Upvotes: 0
Views: 1526
Answers (1)
Reputation: 637
I'm going to assume that you terminate SSL at the ELB, and you're contacting the EC2 instance directly via HTTP (port 80). In that case, the following applies:
If the cookie's secure-only-flag is true, then the request-uri's scheme must denote a "secure" protocol (as defined bythe user agent).
NOTE: The notion of a "secure" protocol is not defined by this document. Typically, user agents consider a protocol secure if the protocol makes use of transport-layer security, such as SSL or TLS.
The MDN doc is more explicit:
Insecure sites (http:) can't set cookies with the "secure" directive anymore (new in Chrome 52+ and Firefox 52+).
Upvotes: 0
Related Questions
- Add secure flag to JSESSIONID cookie in spring automatically
- set 'secure' flag to JSESSION id cookie
- JSESSIONID cookie not stored
- How to remove JSESSIONID from cookies?
- Remove JSESSIONID cookie from Spring Application
- Missing HttpOnly Attribute in Session Cookie
- Spring Security session JSESSIONID
- how to set JSESSIONID cookie as secure using Spring security 2 and Apache Tomcat 7 setting
- Secure Cookie Attribute in WebSphere
- JSESSIONID not expired, SPRING_SECURITY_REMEMBER_ME expired