Ktor: Secure Cookies behind an SSL load balancer
Hi. When I set a cookie with the secure field as true KTOR throw this exception:
java.lang.IllegalArgumentException: You should set secure cookie only via secure transport (HTTPS)
at io.ktor.response.ResponseCookies.append(ResponseCookies.kt:11)
at io.ktor.response.ResponseCookies.append(ResponseCookies.kt:26)
at io.ktor.response.ResponseCookies.append$default(ResponseCookies.kt:25)
I get that this is per spec, however I am running KTOR behind a load balancer that strips away HTTPS. Are there any solutions? I think this is a pretty common scenario. I think I will run into a similar issue with the HSTS headers.
Thank you :)
RamenSea
All 5 comments
See feature XForwardedHeadersSupport. Installing it should help if your balancer is setting one of the following headers: X-Forwarded-Proto, X-Forwarded-Protocol, X-Forwarded-SSL or Front-End-Https
cy6erGn0m
on 2 Feb 2018
If your balancer works as per RFC 7239 and sets Forwarded header properly then you can install ForwardedHeaderSupport feature
cy6erGn0m
on 2 Feb 2018
Hey thank you for the really quick response.
I have had not had the time to test this out or look into forward headers.
I will response ASAP, hopefully next week.
However in the KTOR's ResponseCookie class append method it throws an exception, if the server is not a "secureTransport" and if the cookie is "secure". Does the ForwardedHeaderSupport feature somehow detects if the URL being forwarded was HTTPS or something?
RamenSea
on 9 Feb 2018
Adding the feature (XForwardedHeadersSupport) does allow setting cookies with "secure" enabled.
However, I think this check in ResponseCookies is a mistake. What if I'm behind a proxy (or a chain of proxies) that doesn't set the necessary headers? Even when the headers are being sent, why should I have to enable inspection of some headers I otherwise don't care about at all to get past this check? It's very clearly my intent as a developer to set the Secure flag, otherwise I wouldn't have written the code to set it. Just let me do it.
It's just a hurdle with little value: now I have to go through the hassle of figuring out exactly which headers the proxies _do_ send, adjusting the headers inspected in the feature (I'm assuming that's why the config uses arrayListOf -- so we can modify it), etc. I could see maybe logging a warning the first time it happens, but even that would get annoying quickly. I think the check should be removed in its entirety.
marshallpierce
on 9 Aug 2018
Sorry forgot to confirm this fixed the issue.
RamenSea
on 18 Aug 2018
Related issues
lamba92
路
3Comments
PPACI
路
4Comments
chrisjenx
路
4Comments
gabin8
路
3Comments
wellingtoncosta
路
3Comments
Most helpful comment
Adding the feature (
XForwardedHeadersSupport) does allow setting cookies with "secure" enabled.However, I think this check in ResponseCookies is a mistake. What if I'm behind a proxy (or a chain of proxies) that doesn't set the necessary headers? Even when the headers are being sent, why should I have to enable inspection of some headers I otherwise don't care about at all to get past this check? It's very clearly my intent as a developer to set the
Secureflag, otherwise I wouldn't have written the code to set it. Just let me do it.It's just a hurdle with little value: now I have to go through the hassle of figuring out exactly which headers the proxies _do_ send, adjusting the headers inspected in the feature (I'm assuming that's why the config uses
arrayListOf-- so we can modify it), etc. I could see maybe logging a warning the first time it happens, but even that would get annoying quickly. I think the check should be removed in its entirety.