Ingress affinity session cookie doesn't have a Secure flag for HTTPS #1759
Comments
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
/reopen It is still not possible to generate secure cookies which I think is a serious issue. |
|
@Dieler: you can't re-open an issue/PR unless you authored it or you are assigned to it. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@pvl7 Hi, I've tried to reopen this issue but it seems that only the author is allowed to do so. Could you please reopen it? |
|
Cannot re-open as wasn't closed by myself. @fejta could you help please? |
|
@pvl7 Are you enable the session affinity with https ? Does it works ? I tried it, but just http work. |
|
This is my ingress rule: apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/affinity: cookie
kubernetes.io/ingress.allow-http: "true"
kubernetes.io/ingress.class: nginx
creationTimestamp: 2017-05-23T14:20:01Z
generation: 1
name: www-ingress
namespace: application
selfLink: /apis/extensions/v1beta1/namespaces/application/ingresses/www-ingress
spec:
rules:
- host: www.host.com
http:
paths:
- backend:
serviceName: www-host-com
servicePort: 443
path: /
tls:
- hosts:
- www-host-com
secretName: general-tls |
|
@pvl7 you can get around this by using a custom nginx template and adding the https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/custom-template.md has more information on setting up a custom nginx template for the latest version of the kubernetes nginx ingress. |
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@pvl7 @Dieler @kongyi-ibm @aledbf I'm having the same issue and a pull request that should fix it (#3509). Can you reopen the issue, please? And in case you worked around it, would you let me know how? Thanks! |
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
/reopen It is still not possible to generate secure cookies |
|
@rofreytag: You can't reopen an issue/PR unless you authored it or you are a collaborator. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
When the affinity is set to Cookie for stickness, the cookie is created without the Secure flag:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 27 Nov 2017 20:12:38 GMT
Server: nginx/1.13.5
Set-Cookie: INGRESSCOOKIE=45d066e788c9e4eee9030f12b35afbaf; Path=/; HttpOnly
Set-Cookie: csrf-token=db3dc3c54aecf5c9e9e4b3c3c717be7c319cd5d5-1511813558503-a34200bbe6f7d78233f3412f; Path=/; Secure; HTTPOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Connection: Close
Content-Length: 18744
For HTTPS sessions it is recommended to have that flag added to any cookie (https://cwe.mitre.org/data/definitions/614.html). I checked the annotations but was unable to find anything to set that flag, so I'd like to get a new feature request created please.
The text was updated successfully, but these errors were encountered: