You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@knox.apache.org by Christopher Jackson <ja...@gmail.com> on 2018/07/20 23:09:18 UTC
Knox SSO cookie set with httpOnly flag
Hi All,
Wondering if it’s possible to issue the Knox JWT cookie (created via SSOCookieProvider) without having the httpOnly flag set? I could not find any such configuration in the docs.
We would like to read the user information from the JWT via the ’sub’ field in javascript code, seems httpOnly cookies are not available to JS.
Regards,
Christopher Jackson
Re: Knox SSO cookie set with httpOnly flag
Posted by larry mccay <lm...@apache.org>.
Hi Christopher -
Yes, it is a security issue to allow arbitrary JS to access a cookie that
represents the user's authentication and identity.
It certainly wouldn't be hard to make it configurable but you would have to
be sure to understand all of the implications of turning that off and it
would not be the default setting.
thanks,
--larry
On Fri, Jul 20, 2018 at 9:23 PM, Christopher Jackson <
jackson.christopher.lee@gmail.com> wrote:
> HI All,
>
> Looks like it’s hard coded to set the httpOnly flag (
> https://github.com/apache/knox/blob/bc6683f4e67f1c1904a82b4d488293
> 124f565e26/gateway-service-knoxsso/src/main/java/org/
> apache/knox/gateway/service/knoxsso/WebSSOResource.java#L331); I’m
> curious why is this not configurable? Is it a security issue or was this
> just not something that was considered as needing to be configurable?
>
> Regards,
>
> Christopher Jackson
>
>
> On Jul 20, 2018, at 7:09 PM, Christopher Jackson <jackson.christopher.lee@
> gmail.com> wrote:
>
> Hi All,
>
> Wondering if it’s possible to issue the Knox JWT cookie (created via
> SSOCookieProvider) without having the httpOnly flag set? I could not find
> any such configuration in the docs.
>
> We would like to read the user information from the JWT via the ’sub’
> field in javascript code, seems httpOnly cookies are not available to JS.
>
> Regards,
>
> Christopher Jackson
>
>
>
Re: Knox SSO cookie set with httpOnly flag
Posted by Christopher Jackson <ja...@gmail.com>.
HI All,
Looks like it’s hard coded to set the httpOnly flag (https://github.com/apache/knox/blob/bc6683f4e67f1c1904a82b4d488293124f565e26/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java#L331 <https://github.com/apache/knox/blob/bc6683f4e67f1c1904a82b4d488293124f565e26/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java#L331>); I’m curious why is this not configurable? Is it a security issue or was this just not something that was considered as needing to be configurable?
Regards,
Christopher Jackson
> On Jul 20, 2018, at 7:09 PM, Christopher Jackson <ja...@gmail.com> wrote:
>
> Hi All,
>
> Wondering if it’s possible to issue the Knox JWT cookie (created via SSOCookieProvider) without having the httpOnly flag set? I could not find any such configuration in the docs.
>
> We would like to read the user information from the JWT via the ’sub’ field in javascript code, seems httpOnly cookies are not available to JS.
>
> Regards,
>
> Christopher Jackson