Cookie secure flag
KB - Secure flag of cookies

Affects product

  • Microgateway
  • Ingress

Question or problem

Protocol mismatch might cause security risks or break session management.

Understanding the secure flag

Session cookies

Airlock Microgateway issues two different cookies for session management:

  • AL_SESS: Session cookie for HTTP
  • AL_SESS-S: Sessions cookie for HTTPS

Airlock Microgateway sets automatically the "Secure" flag when connecting to the HTTPS port.

Browsers only send cookies with the "Secure" flag set over a HTTPS connection back to the server.

Protocol mismatch causes security risks

Explanation

If HTTPS connections are not terminated by Airlock Microgateway, a mismatch between protocols before/after the Kubernetes ingress controller may cause problems. Consider, e.g., the following situation, where connections between clients and the ingress controller use HTTPS and connections between the Ingress Controller and the Microgateways use HTTP:

[Client] <--(HTTPS)--> [K8s Ingress Controller] <--(HTTP)--> [Airlock Microgateway] 

Here, the "Secure" flag of the session cookie delivered to the client is not set, posing a security risk. A browser would send this session cookie also over a insecure HTTP connection to the server.

Instruction

  • 1.
    Ensure that the protocols are consistently used between Clients and the Kubernetes ingress controller and the Kubernetes ingress controller and Airlock Microgateway.
  • The "Secure" flag is not set for the AL_SESS session cookie.
  • The "Secure" flag is set for the AL_SESS-S session cookie.
Protocol mismatch breaks session management

Explanation

In the opposite situation, HTTP is used towards the client and HTTPS on the inside:

[Client] <--(HTTP)--> [K8s Ingress Controller] <--(HTTPS)--> [Airlock Microgateway] 

In this setup, the "Secure" flag on the AL_SESS_S cookie is set. However, when the client makes the next request, the browser will not send the "Secure" cookie over HTTP. As a consequence, a new session cookie is issued for each request and the user will not be able to use session-based features, such as upstream session authentication.

Similar effects may occur when defining cookies as passthrough cookies, i.e., when cookies are passed to clients by Airlock Microgateway. Use the response action "(default) Set cookie security attributes" to control the security flags of cookies explicitly.

Instruction

  • 1.
    Ensure that the protocols are consistently used between Clients and the Kubernetes ingress controller and the Kubernetes ingress controller and Airlock Microgateway.
  • The "Secure" flag is not set for the AL_SESS session cookie.
  • The "Secure" flag is set for the AL_SESS-S session cookie.