Load Balancer on Amazon does not have secure flag set for Cookie
We have a java based application running on Amazon and have configured our Amazon ELB to connect to them successfully. However, we are seeing that the Cookie flag not set as Secure.
Name Value Domain Path Expires Secure
AWSELB lkajsldf test.com / Session No
How do I make the cookie secure?
Solution 1:
I just re-checked the AWS documentation and it's still the case - you can't make this cookie secure or httpOnly.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-sticky-sessions.html
However, you now have an option to have the ELB rely on a cookie that's issued by the web server, so you can configure your own server-level cookie on each web server (all having the same name) with a unique value for each web server and have the web server include the httponly and secure flags.
Solution 2:
I think Since this cookie is only used by ELB for Session stickiness, that this is a un-secure cookie. (i.e no sensitive data).
You could open a support ticket with AWS regarding this.