cookiesgoogle-cloud-platformcloudgoogle-compute-engine

Secure flag on Google Cloud Load Balancer cookie


Our GCP Load Balancer is set up to route to our back-end service using cookie session affinity. It´s working ok, but the secure flag is not set. We have tried to specify it according RFC 7230:

Set-Cookie: Secure

Theorically the header can be configured on backend-service custom request header. The backend-service description:

gcloud beta compute backend-services describe my-backend-service --global

customRequestHeaders:
- 'Set-Cookie: Secure'
description: ''
enableCDN: false
fingerprint: XXXXXX-XX
healthChecks:
- https://www.googleapis.com/compute/beta/projects/my-project/global/healthChecks/my-check
id: 'XXXXXXXXXXXXXXX'
kind: compute#backendService
loadBalancingScheme: EXTERNAL
name: my-backend-service
port: 80
portName: http
protocol: HTTP
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/backendServices/my-backend-service
sessionAffinity: GENERATED_COOKIE
timeoutSec: 300

However the GLCB cookie still not showing the secure flag.

What are we doing wrong?

Thanks in advance.


Solution

  • Make sure that the value passed into UriCookieConfig was HTTP and not https. Switching to https changed the set-cookie to be secure and might fix your issue.

    When setting a cookie, the cookie is not set with a secure attribute but NOT because it is set via HTTP (though not ideal too). A secure flag in a set-cookie header instructs the client only sent the cookie back via a secure channel (e.g. https). It redirects to https when the request isn't secure:

    See the following document for more details on setting the secure Flag:

    https://owasp.org/www-community/controls/SecureCookieAttribute https://cloud.google.com/docs/security/encryption-in-transit