secure cookies when https is done on balancer, but balancer->appserver is http

Spike Grobstein asked:

We’re trying to maintain PCI compliance for our application and after an audit, the report was telling us that we need to set the secure flag on our cookies. The site is HTTPS (using pound for https termination) sitting in front of haproxy which serves to a number of backened appservers, as follows:

CLIENT ->(https)-> [Pound]->[HAProxy] ->(http)-> { app001 | app002 | appNNN }

I’ve done some research (googling) around but haven’t been able to find anything definitive about this, but would there be any issue with an appserver setting a secure cookie over http between it and the balancer, and would it make it through to the client over https?

Our staging environment doesn’t have SSL set up the same way as production so I’m unable to test this, but I’m trying to come up with a plan of action and see if there’s anything I’m missing before we try to move forward with this.

My answer:

You can set the secure flag on a cookie regardless of whether the connection made to the origin server was secured or not. The client interprets this flag, and won’t actually set the cookie if the connection wasn’t secured.

According to RFC 6265:

When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]).

See RFC 6265 for more on how this flag works (and cookies in general).

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.