Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Secure Cookies behind an SSL load balancer
See original GitHub issueHi. When I set a cookie with the secure field as true KTOR throw this exception:
java.lang.IllegalArgumentException: You should set secure cookie only via secure transport (HTTPS)
at io.ktor.response.ResponseCookies.append(ResponseCookies.kt:11)
at io.ktor.response.ResponseCookies.append(ResponseCookies.kt:26)
at io.ktor.response.ResponseCookies.append$default(ResponseCookies.kt:25)
I get that this is per spec, however I am running KTOR behind a load balancer that strips away HTTPS. Are there any solutions? I think this is a pretty common scenario. I think I will run into a similar issue with the HSTS headers.
Thank you 😃
Issue Analytics
- State:
- Created 6 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Insecure Cookies Because of Load Balancer
A cookie has the "secure" flag if it says so. Theoretically, nothing prevents a "secure" cookie from being served by a HTTP (non-HTTPS) ......
Read more >Loadbalancer SSL Termination & secure cookie
I have a new requirement to access a secure cookie set by the client user agent in one of my back-end servers which...
Read more >asp.net Secure Cookies behind load balancer - Server Fault
I need to implement secure cookies. The web site is behind a Coyote load balancer which I do not have access to (and...
Read more >SSL Load Balancer - Load Balancing Encrypted Data - NGINX
An SSL load balancer is a load balancer that also performs encryption and decryption of data transported via HTTPS, which uses the Secure...
Read more >How to Protect Application Cookies While Offloading SSL
Actually, there is a cookie attribute called Secure which can be emit by a server. When this attribute is set, the client SHOULD...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Adding the feature (
XForwardedHeadersSupport) does allow setting cookies with “secure” enabled.However, I think this check in ResponseCookies is a mistake. What if I’m behind a proxy (or a chain of proxies) that doesn’t set the necessary headers? Even when the headers are being sent, why should I have to enable inspection of some headers I otherwise don’t care about at all to get past this check? It’s very clearly my intent as a developer to set the
Secureflag, otherwise I wouldn’t have written the code to set it. Just let me do it.It’s just a hurdle with little value: now I have to go through the hassle of figuring out exactly which headers the proxies do send, adjusting the headers inspected in the feature (I’m assuming that’s why the config uses
arrayListOf– so we can modify it), etc. I could see maybe logging a warning the first time it happens, but even that would get annoying quickly. I think the check should be removed in its entirety.Sorry forgot to confirm this fixed the issue.