[keycloak-user] Set-Cookie is missing 'Secure' and 'HttpOnly' flags

Bill Burke bburke at redhat.com
Fri Sep 22 09:40:07 EDT 2017 

The realm's SSL policy has to be set to SSL required for Secure-Only
to be set.  Out of the box, Keycloak does not have SSL/HTTPS set up.
Wildfly recently introduced an SSL setup option that we may eventually
take advantage of, but right now, Keycloak does not have SSL/HTTP
enabled out of the box.

Looking at our code KEYCLOAK_SESSION cookie is not marked HttpOnly and
is used by our iframe to detect if the user is logged in still.
KEYCLOAK_IDENTITY *is* marked HttpOnly.

On Wed, Sep 20, 2017 at 7:31 AM, Rudresh Shashikant <rudreshsj at gmail.com> wrote:
> Hi
>
> I would like to discuss 2 items when Keycloak responds with "Set-Cookie"
> headers:
> 1. "HttpOnly" flag
> 2. "Secure" flag
>
> 1. "HttpOnly" flag:
> I can see that affected cookie is:
> * KEYCLOAK_SESSION
>
> My understanding is (please correct me where inaccurate/wrong) that the
> "HttpOnly" flag is not included on purpose because the iframe in the
> browser that maintains the session with keycloak needs Javascript to modify
> the cookie and hence the "HttpOnly" flag will disallow this ability,
> breaking the feature as a result.
>
> Reference: The OIDC spec (
> http://openid.net/specs/openid-connect-session-1_0.html) states that :
> *"If a cookie is used to maintain the OP browser state, the HttpOnly flag
> likely can't be set for this cookie because it needs to be accessed from
> JavaScript. Therefore, information that can be used for identifying the
> user should not be put into the cookie, as it could be read by unrelated
> JavaScript."*
>
> 2. "Secure" flag:
> I can see that affected cookies are:
> * AUTH_SESSION_ID
> * KC_RESTART
> * KEYCLOAK_IDENTITY
> * KEYCLOAK_SESSION
>
> I fail to understand why the "Secure" flag is not being set on all these
> cookies. As I understand it, "Secure" flag should be set to ensure that
> only the "HTTPS" version of the site can access the cookie else a "HTTP"
> version will also be able to access the cookie on the same domain.
>
> The NGINX proxy will have a 301 redirect for all HTTP requests so it is not
> a major concern but it still does not answer the question as to why the
> server did not set this flag on all cookies.
> Can it be set using NGINX ? If it is set will any keycloak feature break?
>
> Thanks.
>
> Regards,
> Rudy.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
Bill Burke
Red Hat

More information about the keycloak-user mailing list