I'm using a node server with express and cookie-parser to send cookies to the client. The cookie looks something like this,
res.cookie(
COOKIE_NAME,
COOKIE_CONTENT, {
maxAge: 15 * 60 * 1000, // 15 minutes
secure: true,
httpOnly: true,
sameSite: true,
});
It's working fine when used in my local machine but doesn't seem to work when I'm doing the same from an ec2 instance over aws's public ipv4 address given to the ec2 instance. I'm wondering if I need a load balancer or a nginx proxy or some additional configuration?
Note: CORS is also set with proper origin, preflightContinue and credentials are enabled. All routes are accessible from client. The client is also hosted in the same ec2 instance with different port.
CodePudding user response:
It's by design (the HTTP standard) since you're setting the secure
flag to true. See HTTP Cookies
A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily.
If you still want that your cookies are sent securely, you can do one of these:
Install nginx on the same machine. Listen on 443 and route the requests to your app. Purchase a SSL certificate for your domain and use nginx ssl configs. More on how to do this here.
Add your EC2 instance in a target group. Purchase a SSL certificate for your domain. Create a load balancer and add a 443 listener and forward the requests to the target group created configuring the SSL certificate here.
Lastly, configure a subdomain in your DNS pointing it to either the machine if you are going the nginx way, or else the load balancer. Hit the API using the https://subdomain.domain.com
endpoint.