JSESSIONID secure Flag-Spring boot and Spring Security(SAML)

Question

JSESSIONID did not have the 'Secure' flag set in our spring boot application. The application is SSO enabled with OKTA as our IDP and we using Spring Security-SAML

Below is the application's simple flow.

Browser -> HTTPS -> AWS-ALB -> HTTP -> Spring Boot APP --> OKTA URL (HTTPS).

Here SSL termination happens at ALB and from Spring boot app point of view, the application is on HTTP.

The problem is our security tool analysis report complains that JSESSIONID is not having a 'secure' flag enabled. When I try to enable the secure cookie as below, the initial request has the JSESSIONID as 'secure' and after authentication 'secure' flag is removed.

server.session.cookie.secure: true

Although this SO thread provides a way to add a 'secure' flag, I couldn't relate this with SSL termination at ALB side scenario and SAML assertion flow (Application call to OKTA) happens by HTTP to HTTPS.

Any Idea how on JessionID secure flag can be set/retained?

Answer 1

Adding server.tomcat.protocol-header=x-forwarded-proto in spring boot configuration that solved the issue.

I misunderstood that Cookie flags (secure, http-only) will be shown in Request Headers in Chrome dev tools, but that's not the case as flags are only shown in Response Header since Set-Cookie header is only in response.