Configuring Session Cookies

Humio defaults to using cookies as a secure mechanism to establish a session between the Humio web frontend and backend API. The only information that's stored in a Humio session cookie is a session identifier.

Cookies are automatically configured based on your PUBLIC_URL. They can also be configured manually via the Humio configuration file or completely disabled and instead relying on a less secure bearer token.

Using cookies puts a constraint on how the web frontend and backend API is served:

  • The frontend needs to be on the same domain or subdomain as the backend API.

  • If the web frontend and backend is both served from e.g. https://cloud.humio.com you do not need to configure anything manually.

  • If the frontend is served from e.g. https://cloud.humio.com and the backend is served from a subdomain such as https://api.cloud.humio.com you need to set COOKIE_DOMAIN to cloud.humio.com. That's because if Domain is specified, then subdomains are always included. Therefore, specifying Domain is less restrictive than omitting it.

  • If you have a need of serving the backend API and frontend from two different domains with no subdomain relation, you cannot use secure cookies. Instead you need to use a less secure bearer token. This is done by enabling bearer token authorization via the configuration option:

ini files
ENABLE_BEARER_TOKEN_AUTHORIZATION=true

Manual Configuration

These are the configuration variables that control cookie behaviour:

Please see Mozilla Developer for a detailed discussion.