[keycloak-user] How to remove Expires/Max-age from session cookie?

Stian Thorgersen sthorger at redhat.com
Thu May 11 05:43:18 EDT 2017


Cookie will only survive browser restarts if you enable remember me and
user clicks the remember me checkbox.

On 8 May 2017 at 20:31, Caranzo Gideon <Gideon.Caranzo at gemalto.com> wrote:

> Hi,
>
> Is it possible in Keycloak to remove Expires/Max-age from
> "KEYCLOAK_SESSION" cookie?
> Basically, we want the cookie to last only until browser is closed.
>
> Also, why does Keycloak set this value on the cookie? What are the risks
> in case an attacker is able to steal it?
>
> Best regards,
> Gideon
>
> ________________________________
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list