Yes - it's only there as a marker for when the session is active and is
used by the session iframe to detect if the session is valid without having
to do a http request. For more details see the session management spec from
OpenID Connect.
On 16 December 2016 at 16:36, Michael Gerber <gerbermichi(a)me.com> wrote:
Why is the KEYLOAK_SESSION cookie not an http only cookie? Is there
a
reason for that?
On 16 Dec 2016, at 16:00, Stian Thorgersen <sthorger(a)redhat.com> wrote:
Use Chrome or Firefox ;)
On 16 December 2016 at 15:44, Michael Gerber <gerbermichi(a)me.com> wrote:
> That's true. It shares the cookie which does not have set httpOnly to
> true.
>
> It's obviously an IE fail, however, I need a workaround for that :)
> Do you have any idea how to solve this?
>
> Am 16. Dezember 2016 um 15:14 schrieb Stian Thorgersen <
> sthorger(a)redhat.com>:
>
> ... Doesn't
>
> On 16 December 2016 at 15:13, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> Does sound like IE actually creates a clean new session as it's sharing
>> some cookies.
>>
>> On 16 December 2016 at 13:10, Michael Gerber <gerbermichi(a)me.com> wrote:
>>
>>> Hi,
>>>
>>> I am using Windows 7 and Internet Explorer 11.
>>>
>>> IE can create a new window with a new session. It should be possible to
>>> work with two different users in this two windows. However, the second
>>> login logs the older user out, because of the KEYCLOAK_SESSION cookie which
>>> is stored in the "C:\Users\{username}\AppData\R
>>> oaming\Microsoft\Windows\Cookies" directory. The problem is, that this
>>> cookie is not set to httpOnly.
>>>
>>> Is this a known bug? Or can I solve this problem?
>>>
>>> kind regards
>>> Michael
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
>