Configure session cookies

Security Requirements and Controls

LogScale defaults to using cookies as a secure mechanism to establish a session between the LogScale web front-end and back-end API. The only information stored in a LogScale session cookie is a session identifier (a unique code that links your browser to your login).

Cookies are automatically configured based on your PUBLIC_URL. You can also configure cookies manually via the LogScale configuration file, or disable cookies entirely and use the bearer token authentication instead (less secure).

Using cookies puts a constraint on how the web front-end and back-end API are served:

  • The frontend needs to be on the same domain or subdomain as the back-end API.

  • If the web frontend and backend are both served from https://cloud.humio.com you do not need to configure anything manually.

  • If, for example, the frontend is served from https://cloud.humio.com and the backend is served from a subdomain such as https://api.cloud.humio.com you need to set COOKIE_DOMAIN to cloud.humio.com. That's because if a domain is specified, then subdomains are always included. Therefore, specifying the domain is less restrictive than omitting it.

  • If you need to serve the back-end API and frontend from two different domains with no subdomain relation, you cannot use secure cookies. Instead you need to use a less secure bearer token (an authentication method that passes credentials in HTTP headers). This is done by enabling bearer token authorization via the configuration option:

ini
ENABLE_BEARER_TOKEN_AUTHORIZATION=true

Manual Configuration

These are the configuration parameters that control the cookie behavior when installed on your infrastructure:

For a detailed discussion of cookies, see Mozilla Developer.