How to Configure Secure Flag for AWS ELB Cookies in Java Applications


2 views

When using Amazon Elastic Load Balancer (ELB) with Java applications, developers often encounter a security concern where the AWSELB cookie isn't marked with the Secure flag. This exposes potential security vulnerabilities as the cookie could be transmitted over unencrypted HTTP connections.

HTTP/1.1 200 OK
Set-Cookie: AWSELB=lkajsldf; Path=/; Domain=test.com

By default, AWS ELB uses cookies for session persistence, but doesn't automatically set the Secure flag because:

  • It assumes applications might run in both HTTP and HTTPS environments
  • The configuration needs to be explicitly set for security best practices
  • Some legacy applications might break with strict cookie policies

For Java applications, we have several approaches to enforce Secure cookies:

1. Using Application Load Balancer (ALB) Attributes

If you're using ALB (recommended), configure the load balancer attributes:

aws elbv2 modify-load-balancer-attributes \
    --load-balancer-arn your-alb-arn \
    --attributes Key=routing.http.x_amzn_tls_version_and_cipher_suite.enabled,Value=true \
                 Key=routing.http.x_amzn_tls_version_and_cipher_suite.attributes,Value=Secure

2. Configuring Web Application Settings

For Tomcat servers, add to your web.xml:

<session-config>
    <cookie-config>
        <secure>true</secure>
        <http-only>true</http-only>
    </cookie-config>
</session-config>

3. Spring Security Configuration

For Spring Boot applications:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .requiresChannel()
            .anyRequest()
            .requiresSecure()
            .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .sessionFixation().migrateSession();
    }
}

After implementation, verify using curl:

curl -I https://yourdomain.com

Should return:

Set-Cookie: AWSELB=...; Secure; HttpOnly; Path=/; SameSite=Lax
  • Combine with SameSite cookie attribute for CSRF protection
  • Set proper max-age or Expires attributes
  • Consider implementing HSTS headers for additional protection

When configuring Elastic Load Balancers (ELB) on AWS for Java web applications, many developers encounter the issue where the AWSELB cookie isn't automatically set with the Secure flag. This exposes applications to potential security vulnerabilities, especially when running HTTPS-only services.

The Secure flag ensures cookies are only sent over encrypted HTTPS connections. Without it:

  • Session cookies could be intercepted in plaintext
  • Potential session hijacking risks
  • Doesn't comply with security best practices

Option 1: Configuring at the ELB Level

While AWS doesn't provide direct Secure flag configuration for ELB cookies, you can implement a workaround:

// In your web.xml
<session-config>
    <cookie-config>
        <secure>true</secure>
    </cookie-config>
</session-config>

Option 2: Using Application Load Balancer (ALB) Instead

ALB provides more cookie configuration options. The modern approach would be:

// AWS CLI command to update listener rules
aws elbv2 modify-listener \
    --listener-arn arn:aws:elasticloadbalancing:region:account-id:listener/app/load-balancer-name/1234567890123456/1234567890123456 \
    --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:account-id:targetgroup/my-targets/1234567890123456 \
    --ssl-policy ELBSecurityPolicy-TLS-1-2-2017-01

Option 3: Programmatic Cookie Modification

For applications where you need full control:

// Java Servlet Filter example
public class SecureCookieFilter implements Filter {
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 
        throws IOException, ServletException {
        HttpServletResponse httpResponse = (HttpServletResponse) response;
        chain.doFilter(request, response);
        String cookieHeader = httpResponse.getHeader("Set-Cookie");
        if (cookieHeader != null && cookieHeader.contains("AWSELB")) {
            httpResponse.setHeader("Set-Cookie", cookieHeader + "; Secure");
        }
    }
}

After implementing any solution, verify using:

curl -I https://yourdomain.com
# Check for Set-Cookie header containing "; Secure"
  • Combine with HttpOnly flag for XSS protection
  • Implement SameSite cookie attributes
  • Regularly rotate your ELB security policies