How can I make the Bluemix VCAP_ID cookie safe?
What is a __VCAP_ID_ cookie
Here's what I found from the section on HTTP Sessions Not Persisting or Replicating the cloudofoundry doc:
Cloud Foundry supports session affinity or sticky sessions for incoming HTTP requests to applications when using the jsessionid cookie. If Cloud Foundry has multiple application instances running, all requests from that client will be redirected to the same application instance. This allows application containers and frameworks to store session data specific to each user session.
And this sticky session is tracked with a cookie named , see cloudfoundry / gorouter / proxy / proxy.go __VCAP_ID_
Setting the __VCAP_ID_ cookie
checkout cloudfoundry / gorouter / proxy / setupStickySession () The
configuration for setting this cookie is a private method which means it resolved internally within the proxy. The only variable is maxAge
and Path
, which means it uses the maxAge / Path of the JSESSIONID
cookie for the __VCAP_ID_
cookie.
I am curious why Secure
it is not part of this. Instead, it gets resolved when creating a proxy in gorouter. I created issue 99 to keep track of this because it should be as secure as JSESSIONID
.
source to share