You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2017/05/11 12:01:04 UTC
[jira] [Commented] (KNOX-933) PicketLink Provider must set Secure
and HTTPOnly flags on Cookie
[ https://issues.apache.org/jira/browse/KNOX-933?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16006298#comment-16006298 ]
Larry McCay commented on KNOX-933:
----------------------------------
Hi [~kpandey] - thanks for this patch!
I think that we should probably make the setting of the Secure flag configurable from the topology.
Consider a param to the picketlink provider params for something like original.url.cookie.secure and default it to true.
Then inside the addCookie method of CaptureOriginalURLFilter you will just test the value of this param from the initparms that were interrogated inside the init method.
This will allow the cookie to be presented by the browser in dev environments where SSL needs to be disabled.
> PicketLink Provider must set Secure and HTTPOnly flags on Cookie
> ----------------------------------------------------------------
>
> Key: KNOX-933
> URL: https://issues.apache.org/jira/browse/KNOX-933
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Reporter: Larry McCay
> Assignee: Krishna Pandey
> Labels: KIP-7
> Fix For: 0.13.0
>
> Attachments: KNOX-933_master_v1.patch
>
>
> The provider creates a cookie in CaptureOriginalURLFilter.java at line 68, but fails to set the HttpOnly and Secure flags to true.
> This provider is not really supported anymore and isn't even documented but we should make sure that all cookies have HttpOnly and Secure flags set. We should separately consider deprecating and removing this provider.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)