Ingress-nginx: Ingress affinity session cookie doesn't have a Secure flag for HTTPS

Created on 28 Nov 2017 · 15Comments · Source: kubernetes/ingress-nginx

When the affinity is set to Cookie for stickness, the cookie is created without the Secure flag:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 27 Nov 2017 20:12:38 GMT
Server: nginx/1.13.5
Set-Cookie: INGRESSCOOKIE=45d066e788c9e4eee9030f12b35afbaf; Path=/; HttpOnly
Set-Cookie: csrf-token=db3dc3c54aecf5c9e9e4b3c3c717be7c319cd5d5-1511813558503-a34200bbe6f7d78233f3412f; Path=/; Secure; HTTPOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Connection: Close
Content-Length: 18744

For HTTPS sessions it is recommended to have that flag added to any cookie (https://cwe.mitre.org/data/definitions/614.html). I checked the annotations but was unable to find anything to set that flag, so I'd like to get a new feature request created please.

Source

pvl7

Most helpful comment

This is my ingress rule:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/affinity: cookie
    kubernetes.io/ingress.allow-http: "true"
    kubernetes.io/ingress.class: nginx
  creationTimestamp: 2017-05-23T14:20:01Z
  generation: 1
  name: www-ingress
  namespace: application
  selfLink: /apis/extensions/v1beta1/namespaces/application/ingresses/www-ingress
spec:
  rules:
  - host: www.host.com
    http:
      paths:
      - backend:
          serviceName: www-host-com
          servicePort: 443
        path: /
  tls:
  - hosts:
    - www-host-com
    secretName: general-tls

pvl7 on 11 Jun 2018

👍2

All 15 comments

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 26 Feb 2018

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

fejta-bot on 28 Mar 2018

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot on 27 Apr 2018

/reopen

It is still not possible to generate secure cookies which I think is a serious issue.

Dieler on 24 May 2018

@Dieler: you can't re-open an issue/PR unless you authored it or you are assigned to it.

In response to this:

/reopen

It is still not possible to generate secure cookies which I think is a serious issue.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot on 24 May 2018

@pvl7 Hi, I've tried to reopen this issue but it seems that only the author is allowed to do so. Could you please reopen it?

Dieler on 24 May 2018

Cannot re-open as wasn't closed by myself.

@fejta could you help please?

pvl7 on 24 May 2018

@pvl7 Are you enable the session affinity with https ? Does it works ? I tried it, but just http work.

kongyi-ibm on 8 Jun 2018

This is my ingress rule:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/affinity: cookie
    kubernetes.io/ingress.allow-http: "true"
    kubernetes.io/ingress.class: nginx
  creationTimestamp: 2017-05-23T14:20:01Z
  generation: 1
  name: www-ingress
  namespace: application
  selfLink: /apis/extensions/v1beta1/namespaces/application/ingresses/www-ingress
spec:
  rules:
  - host: www.host.com
    http:
      paths:
      - backend:
          serviceName: www-host-com
          servicePort: 443
        path: /
  tls:
  - hosts:
    - www-host-com
    secretName: general-tls

pvl7 on 11 Jun 2018

👍2

@pvl7 you can get around this by using a custom nginx template and adding the secure flag to the template here.

https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/custom-template.md has more information on setting up a custom nginx template for the latest version of the kubernetes nginx ingress.

rodawg on 6 Jul 2018

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot on 5 Aug 2018

@pvl7 @Dieler @kongyi-ibm @aledbf I'm having the same issue and a pull request that should fix it (https://github.com/kubernetes/ingress-nginx/pull/3509). Can you reopen the issue, please? And in case you worked around it, would you let me know how? Thanks!