From pinguwien at gmail.com Tue Jan 30 08:52:58 2018 Content-Type: multipart/mixed; boundary="===============4321685629867727323==" MIME-Version: 1.0 From: Dominik Guhr To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Why is the KEYCLOAK_LOCALE cookie httponly? And is there a way to get the locale on first call of page? Date: Tue, 30 Jan 2018 14:52:56 +0100 Message-ID: <37118e37-2d91-ed77-5735-cb7f6513e8c9@gmail.com> --===============4321685629867727323== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Hi everyone, so I tried to theme the loginpage here, which worked out pretty well at = first, but when internationalization was a thing (I had to change the = provided internationalization to a selectbox) I tried to get the = KEYCLOAK_LOCALE cookie at page load to set the selected option by this = cookie. sadly, document.cookie doesn't have the KEYCLOAK_LOCALE cookie inside, = because it seems to be set to httponly=3Dtrue which doesn't make it = accessible via js. So, this was a problem because when you first(!) call the loginpage, = there is no queryparam kc_locale=3D... set and I had to figure out which = language is used and thus how to set the dropdowns selected option = accordingly. My custom dropdown code just looks like this: <#if realm.internationalizationEnabled> now when changing the login to english, not logging in, on next call of = a protected page and redirect to the loginpage, I can't check in js = which locale is set, for no querystring is set and the cookie is not = accessible. So, 3 concrete questions: a) why is it httponly? xss attack prevention? b) Would it be possible to always get the locale in the querystring of = login/pw form redirect? c) alternatively, is it possible to get the current locale in jsf by = accessing locale.? Thanks in advance! Best regards, Dominik --===============4321685629867727323==--