Ktor: Do not enforce https on secure cookies

Created on 9 May 2019  路  2Comments  路  Source: ktorio/ktor

Hi,

I set my session cookie to "secure" and get "You should set secure cookie only via secure transport (HTTPS)" exception because my (CIO) server is not configured to use SSL.

But this is by design: I use a reverse proxy handling SSL and my ktor application is behind that (not using https intentionally).

Am I missing something or is the aforementioned check just too strict? If so, please remove it :-) (see link below)

Thank you!

https://github.com/ktorio/ktor/blob/848b63cc58f048efdda34a2c6060cce8a68584cb/ktor-server/ktor-server-core/jvm/src/io/ktor/response/ResponseCookies.kt#L29

documentation question
Source
picture schleinzer
👍1

Most helpful comment

You should be using forwarded headers feature: https://ktor.io/servers/features/forward-headers.html so in this case the check will pass.

picture cy6erGn0m on 11 May 2019
👍2

All 2 comments

You should be using forwarded headers feature: https://ktor.io/servers/features/forward-headers.html so in this case the check will pass.

cy6erGn0m picture cy6erGn0m on 11 May 2019
👍2

Ah, did not think of this! Quite obvious if you know about it 鈽猴笍 thank you very much, will try that.

schleinzer picture schleinzer on 11 May 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wellingtoncosta picture wellingtoncosta  路  3Comments
gabin8 picture gabin8  路  4Comments
KennethanCeyer picture KennethanCeyer  路  4Comments
shinriyo picture shinriyo  路  4Comments
seanf picture seanf  路  3Comments