I'm encountering an issue with setting the secure attribute for session cookies (JSESSIONID) in a Spring web application deployed on AWS ECS.
Here's the scenario:
Requirement: Make session cookies secure (secure="true") for the application to enhance security.
Configuration: I modified the WildFly configuration as follows:
<session-cookie http-only="true" secure="true"/>
This configuration works perfectly with HTTPS requests.
Issue: However, when testing using the internal load balancer URL (HTTP), I receive the following error message:
"this attempt to set a cookie via a set-cookie header was blocked because it has the secure attribute but was not received via a secure connection"
Question: Is there a programmatic or WildFly configuration approach to manage JSESSIONID cookies seamlessly with secure attributes "true" across both HTTP and HTTPS protocols within the WildFly application server? Given the involvement of the servlet container in JSESSIONID handling, I believe there's limited control over this behavior
I appreciate any insights or suggestions you can provide. Thank you!
The browser will not send a cookie with the secure attribute set over an unencrypted HTTP request.so it it not possible.
Reference https://owasp.org/www-community/controls/SecureCookieAttribute