We have a java based application running on Amazon and have configured our Amazon ELB to connect to them successfully. However, we are seeing that the Cookie flag not set as Secure.
Name Value Domain Path Expires Secure
AWSELB lkajsldf test.com / Session No
How do I make the cookie secure?
I just re-checked the AWS documentation and it's still the case - you can't make this cookie secure or httpOnly.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-sticky-sessions.html
However, you now have an option to have the ELB rely on a cookie that's issued by the web server, so you can configure your own server-level cookie on each web server (all having the same name) with a unique value for each web server and have the web server include the httponly and secure flags.
Directly from AWS support for a ticket with exactly the same issue:
Kindly note that HTTPOnly flags are meant to protect cookies carrying sensitive information, and stop HTTP clients from sending this cookies in plain text (Secure) or to prevent XSS attacks / access to said cookie via client side scripts (HTTPOnly).
Currently HttpOnly flag are not supported by ALB , and there are two reason on why ALB isnt support it.
- Firstly, "AWSALB" cookies contains no sensitive data or does not contain usernames/passwords or any personal information and are only used to determine which backend to send requests to and the session information is not stored in the cookie.
- Secondly, the contents of the cookie sent by ALB both CLB are encrypted using a rotating key and only the AWS service has the private keys that are used to encrypt. Decryption or modification of load balancer-generated cookies is not supported. For more information regarding Sticky Sessions with ALB, please refer to the documentation [1].
---- Workaround ---
You can make use of a Classic Load Balancer (CLB) which supports both duration based and application based stickiness. AS stated in the documentation [2] "You can't set the secure flag or HttpOnly flag on your duration-based session stickiness cookies. However, these cookies contain no sensitive data. Note that if you set the secure flag or HttpOnly flag on an application-controlled session stickiness cookie, it is also set on the AWSELB cookie. "
Having said that, it is also worth mentioning that we do have an on-going feature request for it and I have tagged your case to it. Our internal team is aware of the requirement and is working on it. As you might already know, new features require immense troubleshooting and testing, therefore I would not be able to provide you with an ETA on the feature request. I would however recommend you to keep an eye on our AWS new and AWS blog pages [3] and [4] for information on it.
For Reference:
[1] Sticky sessions - https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-sticky-sessions.html
[2] Classic Load Balancer session sticky - https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-sticky-sessions.html
[3] https://aws.amazon.com/
[4] https://aws.amazon.com/blogs/aws/
I think Since this cookie is only used by ELB for Session stickiness, that this is a un-secure cookie. (i.e no sensitive data).
You could open a support ticket with AWS regarding this.
