[keycloak-user] Why is the KEYCLOAK_LOCALE cookie httponly? And is there a way to get the locale on first call of page?

[Dominik Guhr]

Hi everyone,

so I tried to theme the loginpage here, which worked out pretty well at 
first, but when internationalization was a thing (I had to change the 
provided internationalization to a selectbox) I tried to get the 
KEYCLOAK_LOCALE cookie at page load to set the selected option by this 
cookie.

sadly, document.cookie doesn't have the KEYCLOAK_LOCALE cookie inside, 
because it seems to be set to httponly=true which doesn't make it 
accessible via js.

So, this was a problem because when you first(!) call the loginpage, 
there is no queryparam kc_locale=... set and I had to figure out which 
language is used and thus how to set the dropdowns selected option 
accordingly.

My custom dropdown code just looks like this:

<#if realm.internationalizationEnabled>
	<select name="languages" id="locale_dropdown">
         	<#list locale.supported as l>
		<option value="${l.url}"><a href="${l.url}"><${l.label}></a></option>
		</#list>
	</select>
</#if>

now when changing the login to english, not logging in, on next call of 
a protected page and redirect to the loginpage, I can't check in js 
which locale is set, for no querystring is set and the cookie is not 
accessible.

So, 3 concrete questions:
a) why is it httponly? xss attack prevention?
b) Would it be possible to always get the locale in the querystring of 
login/pw form redirect?
c) alternatively, is it possible to get the current locale in jsf by 
accessing locale.?

Thanks in advance!

Best regards,
Dominik