Hello, I figured out the place where the cookie gets set in Galaxy and then add secure to that. Apache configuration didn't work well. added the following code into function "set_cookie" in: lib/galaxy/web/framework/__init__.py *def set_cookie( self, value, name='galaxysession', path='/', age=90, version='1' ): * * try: * * self.response.cookies[name]['secure'] = True * * except CookieError, e: * * log.warning( "Error setting secure attribute in cookie '%s': %s" % ( name, e ) )* I tested by running the following, now I can see the flag "secure" in the set-cookie curl -k -D - https://gx.cbio.mskcc.org/ -o /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/1.1 200 OK Date: Mon, 06 May 2013 14:50:16 GMT Server: PasteWSGIServer/0.5 Python/2.6.6 content-type: text/html; charset=UTF-8 Set-Cookie: galaxysession=7cf35ade3e68eef6c0bd6866318609b987df86a0d50ecc280f02efaa5966a9aa59ce7177812bed97; expires=Sun, 04-Aug-2013 10:50:16 GMT; httponly; Max-Age=7776000; Path=/; secure; Version=1 Connection: close Transfer-Encoding: chunked 100 25395 0 25395 0 0 35881 0 --:--:-- --:--:-- --:--:-- 69575 --Vipin Hi dev-team,

We have placed our galaxy instance ssl and I need to make sure that the secure flag is set on the cookie (commonly represented by the word “secure” under the Security column) but I am not able to do the same. something like below:

[image: Inline image 2]

when I checked on my instance I saw as below: [image: Inline image 3] I have made necessary changes to my ssl.conf to put the flag as secure, but it seems not appearing here.

Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly

does anybody have an experience in setting up the same. thanks in advance, --/Vipin