I’m trying to configure session cookies to have the
secure flag through ignition.conf, but I cannot get it to work.
I’ve set up the
SameSite flag successfully, after I found information about it somewhere in the forums, but I wasn’t able to find anything about the
For now, I can use a hack in nginx configuration, but I’d like something cleaner…
Could anyone point me in the right direction ?
Thank you and have a good day !
What version of Ignition are you on?
If you are connecting to the Gateway over https:// then the secure flag should be set on session cookies. If you are connecting over insecure http:// then the secure flag will not be set.
We’re using 8.1.3, and we only allow https… Still the session cookie is not secure-flagged.
I just downloaded 8.1.3 from the IA website and installed a self signed SSL certificate, closed my browser to clear cookies from before installing the SSL certificate, and when I navigated to the Gateway Web Interface, I see the secure flag is set when using
Well, it’s clearly not the case for me…
Could it have something to do with the presence of an nginx reverse proxy ?
edit: Yea so we have nginx handling those things, which is probably the reason behind this.
Most likely. What might be happening is: your web browser is connecting to nginx over https:// and nginx is doing SSL / TLS offloading and forwarding the request over insecure http:// to the backend Gateway. The Gateway will just see the connection as insecure and will not set the secure flag on the session cookie as a result.
Yes, exactly. At least I know why, now I can find a fix