how to Apply the secure attribute to session cookies?
Please help.
Hi @abhiec
Post "Diagnostic Info" from Admin > Troubleshooting.
And you need to provide more context. Your question doesn't make much sense.
Hi,
I encountered the same problem when trying to fully embed metabase into an BPM Application.
We use JWT Auth and different Domains. Metabase is exposed with its own https proxy internally.
I already tried my best with countless reconfigs of metabase and I always get to the same problem:
Microsoft Edge Browser rejecting to save the Authentication Cookie locally.
MS Edge complains about a missing "Secure" Attribute in the Set-Cookie Header.
-> Is there a way to configure Metabase/Jetty to always set the "Secure" Attribute in its responses, when sending Cookies?
Notes:
- Using latest Metabase 1.46.7 enterprise jar as an systemd service
- Metabase is securely exposed inside a internal network with https 443 and a valid certificate
- set MB_SESSION_COOKIE_SAMESITE
to "none" since we are using different domains for the BPM and Metabase Software - Corretly set the following necessary settings:
-- Settings->General->SITE_URL to "https:eb....de" (also tried to set this with the corresponding env var)
-- Settings->Embedding->Full-App-Embedding->Authorized-Sources to the BPM Softwares http Domain Address
-- JWT Settings setup correctly: Autorized URI and Signature String matching to the configured BPMs key
I think you are hitting this SSO with full-app embedding uses SESSION cookie instead of EMBEDDED_SESSION cookie · Issue #18823 · metabase/metabase · GitHub
Can you confirm?
As far as I understand the replies and information in the referenced Git Hub Issues, when using JWT Embedding, SESSION Cookies are always used insteand of EMBEDDED_SESSION Cookies (?).
I am not aware of the differences of an EMBEDDED_SESSION Cookie.
So I cant confirm, since the "SameSite=None" Attribute is set in my HTML Response and does not cause my problem.
I need an "Secure" Attribute, i.e. shown here in other setups of metabase I completed in the past:
I want to know how I can configure Metabase to set the "Secure" Tag. I already fiddeled around a lot with the configuration in my initial, problematic setup of metabase (seen in 1st screenshot) and tried align the configuration with my other working metabase embeds (seen in screenshot in this response), but never had success in the past.
Here is the k8s deployment info of the working Metabase embed: (where the "Secure" Tag is set):
containers:
- name: metabase-pod
image: metabase/metabase-enterprise:v1.46.6.1-latest-patch
ports:
- containerPort: 3000
name: metabase
env:
- name: MB_PREMIUM_EMBEDDING_TOKEN
value: '<censored>'
- name: MB_APPLICATION_NAME
value: 'Our Metabase App'
- name: MB_ENABLE_EMBEDDING
value: 'true'
- name: MB_REDIRECT_ALL_REQUESTS_TO_HTTPS
value: 'true'
- name: MB_SITE_URL
value: 'https://ebia.<maindomain>'
- name: MB_JWT_ENABLED
value: 'true'
- name: MB_JWT_SHARED_SECRET
value: '<censored>
- name: MB_JWT_IDENTITY_PROVIDER_URI
value: 'https://<maindomain>'
- name: MB_EMBEDDING_APP_ORIGIN
value: 'https://<maindomain>'
- name: MB_DB_TYPE
value: 'mysql'
- name: MB_DB_HOST
value: '<censored>'
- name: MB_DB_PORT
value: '<censored>'
Answered on the ticket: use a reverse proxy to set the secure tag
Yeah, but i´d be nice if we could set that behaviour in the Metabase Settings, have an dedicated ENV Var and understand why the Secure Tag is set when only changing both variables MB_REDIRECT_ALL_REQUESTS_TO_HTTPS=true and MB_SESSION_COOKIE_SAMESITE=lax