6

We have a java based application running on Amazon and have configured our Amazon ELB to connect to them successfully. However, we are seeing that the Cookie flag not set as Secure. 

Name    Value       Domain     Path    Expires     Secure

AWSELB  lkajsldf    test.com   /       Session     No

How do I make the cookie secure?

Lego
  • 425
  • 4
  • 7
  • 12
  • Do you serve the application over SSL? If not, then that's why. I think ELB terminates SSL and speaks HTTP to your back-end servers, but I'm not 100% sure. – Nathan C Jan 28 '14 at 19:08
  • The application listens on port 8585 but securely. At no point on the path is a packet unsecure. – Lego Jan 28 '14 at 21:44
  • Now that I think of it, the answer given makes sense. ELB implements sticky sessions and it looks like that cookie is set by it. – Nathan C Jan 29 '14 at 13:21

2 Answers2

6

I just re-checked the AWS documentation and it's still the case - you can't make this cookie secure or httpOnly.

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-sticky-sessions.html

However, you now have an option to have the ELB rely on a cookie that's issued by the web server, so you can configure your own server-level cookie on each web server (all having the same name) with a unique value for each web server and have the web server include the httponly and secure flags.

Matthew Wanders
  • 166
  • 1
  • 5
1

I think Since this cookie is only used by ELB for Session stickiness, that this is a un-secure cookie. (i.e no sensitive data).

You could open a support ticket with AWS regarding this.

vijay rajah
  • 161
  • 2
  • 9
  • 1
    Thanks vijay rajah. The AWS engineer did say it contained no sensitive data. However, our penetration tests are flagging this as a security hole and I have a hard time convincing them that this can be ignored. – Lego Jan 29 '14 at 14:33