How to set the secure flag for cookie _forum_session

Our site should be work with http and https, we need to secure the cookie (_forum_session). Cookie Missing Secure flag only has HttpOnly how can this be setup with secure as well?


You should set your site up to work over https only.


There is no way to modify in discourse code?

Hey @mevaha

The trend in the web, for many years, is to only use HTTPS.

This used to be a problem until organizations like Let’s Encrypt (LE) started giving SSL certs away for free and provided a robust mechanism to manage certs.

When LE (certbot) is used to configure the certs on your site, it will set up both HTTP and HTTPS and HTTP traffic will be completely redirected to HTTPS, automatically.

Of course, you can find a way to run Discourse HTTP only but it is not going to be supported except in Discourse development; because without HTTPS, all user login information, including passwords, would be transmitted unencrypted across the net. This is NOT supported in production.

Think of it like this. HTTPS is like wearing seatbelts in a car. People who want to drive without seatbelts do this at their own risk; and so car manufacturers are not going to produce cars without seatbelts.

The same is true for Discourse. Discourse is designed to run securely in production; and so the supported version of Discourse, in production, is HTTPS.

Hope this helps.

Sorry not to be more helpful.

1 Like

Thank you @neounix. Our issue is the cert https is managed by the load balancer and only the port 80 opened between discourse and the load balancer. we tried to redirect http to https without success, could you please share with me the config file of cookies in discourse.


Hi @mevaha

It that is the case, then more-than-likely you have a reverse-proxy in front of your load balancer (or as a part of your load balancer).

Let me explain.

The reverse proxy (with load balancer if you have one) communicates with Discourse on the back end using HTTP.

So you are correct that Discourse communicates only HTTP, but only to the reverse proxy, not to the outside world.

So, it goes like this:


Hence, you can expose your DISCOURSE Docker container as Port 80 (HTTP Only) as you are talking about.

However, on the web-facing site, you need a reverse proxy which is proxying the HTTPS requests to back end using HTTP.

Your reverse proxy (with load balancer), if set up correctly, will make sure HTTP cookies and headers are passed back and forth correctly.

Hope this helps.

If you have more questions, please ask.

Please note that if you kindly provide the exact technical details of your architecture it will be much easier to assist you; as we don’t have a crystal ball app working for us :slight_smile:


Thanks a lot @neounix

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.