How can I make the Bluemix VCAP_ID cookie safe?

Question

How can I make the Bluemix VCAP_ID cookie safe?

Bluemix generates a VCAP_ID cookie which is currently unsecured (see below). Is there a way to make him be safe? Is there a reason for not providing security?

Set-Cookie: VCAP_ID = [edited]; Path = /; HttpOnly

against.

Set-Cookie: VCAP_ID = [edited]; Path = /; HttpOnly; Secure

+3

security cookies ibm-cloud

Constantinos 08 jul. 15 at 15:24

source to share

2 answers

What is a __VCAP_ID_ cookie

Here's what I found from the section on HTTP Sessions Not Persisting or Replicating the cloudofoundry doc:

Cloud Foundry supports session affinity or sticky sessions for incoming HTTP requests to applications when using the jsessionid cookie. If Cloud Foundry has multiple application instances running, all requests from that client will be redirected to the same application instance. This allows application containers and frameworks to store session data specific to each user session.

And this sticky session is tracked with a cookie named , see cloudfoundry / gorouter / proxy / proxy.go __VCAP_ID_

Setting the __VCAP_ID_ cookie

checkout cloudfoundry / gorouter / proxy / setupStickySession () The configuration for setting this cookie is a private method which means it resolved internally within the proxy. The only variable is maxAge

and Path

, which means it uses the maxAge / Path of the JSESSIONID

cookie for the __VCAP_ID_

cookie.

I am curious why Secure

it is not part of this. Instead, it gets resolved when creating a proxy in gorouter. I created issue 99 to keep track of this because it should be as secure as JSESSIONID

.

+1

shawnzhu 24 Sep 15 at 14:10

source to share

Jeff sloyer · Accepted Answer · 2015-07-08T16:41:40+0000

No, this is installed inside Bluemix. We can bring this back to the development team to make the cookie safe.

How can I make the Bluemix VCAP_ID cookie safe?

What is a __VCAP_ID_ cookie

Setting the __VCAP_ID_ cookie

More articles: