secure cookies behind load balancer about cookies HOT 8 CLOSED

we're all waiting for this jshttp/proxy-addr#2 :)

from cookies.

Yes :) Sorry, just getting out some body parser improvements (like not corrupting non-utf-8 bodies) and a new connect/express cycle real quick :) the (basically new) proxy-addr module was on my list right after creating depd in order to deprecate it's old name ;0

from cookies.

Has there been any progress on this? This looks like a show-stopping issue for probably the most common large-deployment configuration.

from cookies.

As of 0.5.0, this module works fine behind a load balancer if you use it with Express; otherwise if you are not using Express, you can set req.protocol = 'https' after you verify tat the request was HTTPS to your load balancer.

from cookies.

0.5.0 also works fine with koabehind a load balancer. If you are using Express or koa, the key is you need to configure them to be aware of the load balancer.

from cookies.

Thanks, but this isn't actually working with Koa due to this: koajs/koa#320

As this issue details, the req.protocol === "https" is never going to work since the req object is from the http library and does not have a protocol property. It is not a Koa request object.

Please add an option to disable this check. Not using secure cookies is a serious issue and is causing pen-testing failures for a typical reverse proxy configuration.

from cookies.

The problem here is that the check for "security" does not really make sense because there's just not enough information in the application itself to know if the request will be delivered to the user encrypted or not. I think it's bad logic and should be removed.

from cookies.

Is there any chance this will be fixed soon?

from cookies.