[keycloak-user] Why is the KEYCLOAK_LOCALE cookie httponly? And is there a way to get the locale on first call of page?
Dominik Guhr
pinguwien at gmail.com
Tue Jan 30 08:52:56 EST 2018
Hi everyone,
so I tried to theme the loginpage here, which worked out pretty well at
first, but when internationalization was a thing (I had to change the
provided internationalization to a selectbox) I tried to get the
KEYCLOAK_LOCALE cookie at page load to set the selected option by this
cookie.
sadly, document.cookie doesn't have the KEYCLOAK_LOCALE cookie inside,
because it seems to be set to httponly=true which doesn't make it
accessible via js.
So, this was a problem because when you first(!) call the loginpage,
there is no queryparam kc_locale=... set and I had to figure out which
language is used and thus how to set the dropdowns selected option
accordingly.
My custom dropdown code just looks like this:
<#if realm.internationalizationEnabled>
<select name="languages" id="locale_dropdown">
<#list locale.supported as l>
<option value="${l.url}"><a href="${l.url}"><${l.label}></a></option>
</#list>
</select>
</#if>
now when changing the login to english, not logging in, on next call of
a protected page and redirect to the loginpage, I can't check in js
which locale is set, for no querystring is set and the cookie is not
accessible.
So, 3 concrete questions:
a) why is it httponly? xss attack prevention?
b) Would it be possible to always get the locale in the querystring of
login/pw form redirect?
c) alternatively, is it possible to get the current locale in jsf by
accessing locale.?
Thanks in advance!
Best regards,
Dominik
More information about the keycloak-user
mailing list