[keycloak-user] Set-Cookie is missing 'Secure' and 'HttpOnly' flags
Rudresh Shashikant
rudreshsj at gmail.com
Wed Sep 20 07:31:54 EDT 2017
Hi
I would like to discuss 2 items when Keycloak responds with "Set-Cookie"
headers:
1. "HttpOnly" flag
2. "Secure" flag
1. "HttpOnly" flag:
I can see that affected cookie is:
* KEYCLOAK_SESSION
My understanding is (please correct me where inaccurate/wrong) that the
"HttpOnly" flag is not included on purpose because the iframe in the
browser that maintains the session with keycloak needs Javascript to modify
the cookie and hence the "HttpOnly" flag will disallow this ability,
breaking the feature as a result.
Reference: The OIDC spec (
http://openid.net/specs/openid-connect-session-1_0.html) states that :
*"If a cookie is used to maintain the OP browser state, the HttpOnly flag
likely can't be set for this cookie because it needs to be accessed from
JavaScript. Therefore, information that can be used for identifying the
user should not be put into the cookie, as it could be read by unrelated
JavaScript."*
2. "Secure" flag:
I can see that affected cookies are:
* AUTH_SESSION_ID
* KC_RESTART
* KEYCLOAK_IDENTITY
* KEYCLOAK_SESSION
I fail to understand why the "Secure" flag is not being set on all these
cookies. As I understand it, "Secure" flag should be set to ensure that
only the "HTTPS" version of the site can access the cookie else a "HTTP"
version will also be able to access the cookie on the same domain.
The NGINX proxy will have a 301 redirect for all HTTP requests so it is not
a major concern but it still does not answer the question as to why the
server did not set this flag on all cookies.
Can it be set using NGINX ? If it is set will any keycloak feature break?
Thanks.
Regards,
Rudy.
More information about the keycloak-user
mailing list