Session cookie secure flag

Hello folks,

I’m trying to configure session cookies to have the secure flag through ignition.conf, but I cannot get it to work.
I’ve set up the SameSite flag successfully, after I found information about it somewhere in the forums, but I wasn’t able to find anything about the secure flag.

For now, I can use a hack in nginx configuration, but I’d like something cleaner…
Could anyone point me in the right direction ?

Thank you and have a good day !

What version of Ignition are you on?

If you are connecting to the Gateway over https:// then the secure flag should be set on session cookies. If you are connecting over insecure http:// then the secure flag will not be set.

Hello Joel,

We’re using 8.1.3, and we only allow https… Still the session cookie is not secure-flagged.

I just downloaded 8.1.3 from the IA website and installed a self signed SSL certificate, closed my browser to clear cookies from before installing the SSL certificate, and when I navigated to the Gateway Web Interface, I see the secure flag is set when using https://

Well, it’s clearly not the case for me…

Could it have something to do with the presence of an nginx reverse proxy ?

edit: Yea so we have nginx handling those things, which is probably the reason behind this.

Most likely. What might be happening is: your web browser is connecting to nginx over https:// and nginx is doing SSL / TLS offloading and forwarding the request over insecure http:// to the backend Gateway. The Gateway will just see the connection as insecure and will not set the secure flag on the session cookie as a result.

Yes, exactly. At least I know why, now I can find a fix :slight_smile:

1 Like