Configuring Cookie Insertion with HttpOnly and Secure Flags (HTTP/S Farms)

  • Blog
  • Configuring Cookie Insertion with HttpOnly and Secure Flags (HTTP/S Farms)

Knowledge Base

Site Reliability Experience

View Categories

Configuring Cookie Insertion with HttpOnly and Secure Flags (HTTP/S Farms)

2 min read

Table of Contents

Overview #

When using Cookie Insertion persistence (e.g., NOIDSESSIONID) in RELIANOID HTTP/S farms, you may want to enhance security by adding the HttpOnly and Secure flags to the generated cookie.

Although these flags are not currently exposed as dedicated fields in the WebUI, they can be applied using a configuration workaround within the Cookie Domain field.

Solution #

To enable HttpOnly and Secure flags for the persistence cookie, append them directly to the Cookie Domain value without spaces, using semicolons (;) as separators. Example:

example.com;HttpOnly;Secure

Important: Do not include blank spaces between elements.

In the Service tab of the HTTP/S farm web UI section, configure the Cookie Insertion option.

relianoid cookie insertion secure flag

After applying this configuration, save the changes and reload the farm if required.

How It Works #

This approach leverages how cookie attributes are parsed in HTTP headers. By concatenating additional attributes to the domain string, RELIANOID includes them in the Set-Cookie header sent to clients.

This is a configuration-level workaround and is currently supported only for HTTP/S farms, where cookie-based persistence is handled at the application layer.

Explanation of Cookie Flags #

HttpOnly #

  • Prevents client-side scripts (e.g., JavaScript) from accessing the cookie.
  • Helps mitigate attacks such as Cross-Site Scripting (XSS).
  • Ensures the cookie is only transmitted via HTTP/S requests.

Secure #

  • Ensures the cookie is only sent over encrypted HTTPS connections.
  • Prevents exposure of session data over unencrypted HTTP traffic.
  • Essential for protecting session integrity in production environments.

Why These Flags Matter #

Persistence cookies like NOIDSESSIONID are used to maintain session affinity between clients and backend servers. Without proper protection:

  • Cookies could be accessed or manipulated via malicious scripts.
  • Session identifiers could be exposed over insecure channels.

By enabling HttpOnly and Secure:

  • You significantly reduce the attack surface.
  • You align with modern web security best practices.
  • You improve compliance with security standards and audits.

Limitations #

  • This method is a workaround and not a native UI feature.
  • Only applicable to HTTP and HTTPS farms.
  • Not supported for TCP/UDP (L4) farms.
  • Care must be taken to avoid syntax errors in the Cookie Domain field.

Additional Notes #

  • Ensure your farm is configured to use HTTPS if you enable the Secure flag.
  • Misconfiguration (e.g., spaces or incorrect formatting) may result in cookies not being set properly.
  • Future RELIANOID versions may include native support for these flags.

📄 Download this document in PDF format #

    EMAIL: *

    Powered by BetterDocs