How to enable secure cookies when using Drupal 8 with proxy/LB/Cloudflare

Drupal 8 only sends the secure flag on the session cookie for HTTPs connections. That may be a problem when there’s multiple layers of servers and reverse proxies between the user and the server. Imagine `Server (HTTP) -> Load Balancer (80) -> Cloudflare (443)`, Drupal may incorrectly assume its getting an HTTP connection and will not send the cookie.

From a user perspective, the cookie is being sent from Cloudflare through an HTTPs connection and should have the secure flag in the cookie.

For previous Drupal releases it was possible to hard code the connection mode, such as `settings.php: $conf[‘https’] = 1;`

For Drupal 8 you may work around the issue by Secure Login module in its default settings.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store