How do I set the secure flag for Application Load Balancer cookies?

1 minute read

I can’t find a function in the AWS Management Console to turn on the secure flag for my Application Load Balancer cookies.


AWS doesn't allow you to change attributes or flags on the Application Load Balancer type (AWSALB) cookies. You can't decrypt or modify load balancer-generated cookies because their content is encrypted with a rotating key.

A secure flag protects cookies that carry sensitive information. An AWSALB cookie is inserted only in the header of the response when stickiness is activated. This cookie has just enough information to determine the backend instance of the Application Load Balancer that will receive the request.

Because the AWSALB cookies don't contain any customer-sensitive information, they don't have any mechanism to set the security flag. However, the cookies are still protected and encrypted. For more information on Application Load Balancer sticky sessions, see Sticky sessions for your Application Load Balancer.

AWS OFFICIALUpdated 23 days ago