[keycloak-user] Set-Cookie is missing 'Secure' and 'HttpOnly' flags

Rudresh Shashikant rudreshsj at gmail.com
Sun Sep 24 22:47:50 EDT 2017 

Hi Bill,

thanks for the info on "require SSL" in the realm Login settings. I did not
toggle that because I thought that it will require Java keystore
certificates whereas I am just fronting with NGINX. Oh well, I tested and
it works.

Also thanks for clarifying the HttpOnly behaviour.


Regards,
Rudy.

On Fri, Sep 22, 2017 at 8:40 PM, Bill Burke <bburke at redhat.com> wrote:

> The realm's SSL policy has to be set to SSL required for Secure-Only
> to be set.  Out of the box, Keycloak does not have SSL/HTTPS set up.
> Wildfly recently introduced an SSL setup option that we may eventually
> take advantage of, but right now, Keycloak does not have SSL/HTTP
> enabled out of the box.
>
> Looking at our code KEYCLOAK_SESSION cookie is not marked HttpOnly and
> is used by our iframe to detect if the user is logged in still.
> KEYCLOAK_IDENTITY *is* marked HttpOnly.
>
> On Wed, Sep 20, 2017 at 7:31 AM, Rudresh Shashikant <rudreshsj at gmail.com>
> wrote:
> > Hi
> >
> > I would like to discuss 2 items when Keycloak responds with "Set-Cookie"
> > headers:
> > 1. "HttpOnly" flag
> > 2. "Secure" flag
> >
> > 1. "HttpOnly" flag:
> > I can see that affected cookie is:
> > * KEYCLOAK_SESSION
> >
> > My understanding is (please correct me where inaccurate/wrong) that the
> > "HttpOnly" flag is not included on purpose because the iframe in the
> > browser that maintains the session with keycloak needs Javascript to
> modify
> > the cookie and hence the "HttpOnly" flag will disallow this ability,
> > breaking the feature as a result.
> >
> > Reference: The OIDC spec (
> > http://openid.net/specs/openid-connect-session-1_0.html) states that :
> > *"If a cookie is used to maintain the OP browser state, the HttpOnly flag
> > likely can't be set for this cookie because it needs to be accessed from
> > JavaScript. Therefore, information that can be used for identifying the
> > user should not be put into the cookie, as it could be read by unrelated
> > JavaScript."*
> >
> > 2. "Secure" flag:
> > I can see that affected cookies are:
> > * AUTH_SESSION_ID
> > * KC_RESTART
> > * KEYCLOAK_IDENTITY
> > * KEYCLOAK_SESSION
> >
> > I fail to understand why the "Secure" flag is not being set on all these
> > cookies. As I understand it, "Secure" flag should be set to ensure that
> > only the "HTTPS" version of the site can access the cookie else a "HTTP"
> > version will also be able to access the cookie on the same domain.
> >
> > The NGINX proxy will have a 301 redirect for all HTTP requests so it is
> not
> > a major concern but it still does not answer the question as to why the
> > server did not set this flag on all cookies.
> > Can it be set using NGINX ? If it is set will any keycloak feature break?
> >
> > Thanks.
> >
> > Regards,
> > Rudy.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
> Bill Burke
> Red Hat
>

More information about the keycloak-user mailing list