[
https://issues.apache.org/jira/browse/KNOX-3254?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar updated KNOX-3254:
--------------------------------
Description:
h3. Problem
The {{KnoxSessionStore}} always sets the {{Secure}} flag on session cookies
regardless of whether the incoming request is HTTPS:
{noformat}
setCookieHeader.setSecure(true){noformat}
This behavior prevents testing scenarios that run over HTTP (e.g., local
development, integration tests, CI environments) where secure cookies are not
accepted by browsers or HTTP clients.
As a result, authentication flows using pac4j session cookies cannot be tested
properly in non-HTTPS environments.
----
h3. Proposed Improvement
Introduce a configurable parameter:
{noformat}
pac4j.session.store.secure.cookie{noformat}
When present, this parameter explicitly controls whether the {{Secure}}
attribute is set on session cookies.
*New Behavior*
h4. When configuration is NOT set
The Secure flag is determined from the request:
* HTTPS request → Secure = true
* HTTP request → Secure = false
h4. When configuration IS set
The parameter overrides the default logic:
* {{true}} → always Secure
* {{false}} → never Secure
----
h3. Backward Compatibility
⚠️ *Behavior change*
Previously:
* Secure flag was always set to {{true}}
Now (if not configured):
* Secure flag depends on request security
Implications:
* Deployments serving Knox over plain HTTP will now receive non-Secure cookies
* Deployments relying on always-Secure cookies should explicitly set:
was:
h3. Problem
The {{KnoxSessionStore}} always sets the {{Secure}} flag on session cookies
regardless of whether the incoming request is HTTPS:
setCookieHeader.setSecure(true)
This behavior prevents testing scenarios that run over HTTP (e.g., local
development, integration tests, CI environments) where secure cookies are not
accepted by browsers or HTTP clients.
As a result, authentication flows using pac4j session cookies cannot be tested
properly in non-HTTPS environments.
----
h3. Proposed Improvement
Introduce a configurable parameter:
pac4j.session.store.secure.cookie
When present, this parameter explicitly controls whether the {{Secure}}
attribute is set on session cookies.
h3. New Behavior
h4. When configuration is NOT set
The Secure flag is determined from the request:
* HTTPS request → Secure = true
* HTTP request → Secure = false
h4. When configuration IS set
The parameter overrides the default logic:
* {{true}} → always Secure
* {{false}} → never Secure
h3. Backward Compatibility
⚠️ *Behavior change*
Previously:
* Secure flag was always set to {{true}}
Now (if not configured):
* Secure flag depends on request security
Implications:
* Deployments serving Knox over plain HTTP will now receive non-Secure cookies
* Deployments relying on always-Secure cookies should explicitly set:
> Add configuration option to control Secure flag for pac4j session store
> cookies
> -------------------------------------------------------------------------------
>
> Key: KNOX-3254
> URL: https://issues.apache.org/jira/browse/KNOX-3254
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 2.1.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
>
> h3. Problem
> The {{KnoxSessionStore}} always sets the {{Secure}} flag on session cookies
> regardless of whether the incoming request is HTTPS:
> {noformat}
> setCookieHeader.setSecure(true){noformat}
> This behavior prevents testing scenarios that run over HTTP (e.g., local
> development, integration tests, CI environments) where secure cookies are not
> accepted by browsers or HTTP clients.
> As a result, authentication flows using pac4j session cookies cannot be
> tested properly in non-HTTPS environments.
> ----
> h3. Proposed Improvement
> Introduce a configurable parameter:
> {noformat}
> pac4j.session.store.secure.cookie{noformat}
> When present, this parameter explicitly controls whether the {{Secure}}
> attribute is set on session cookies.
>
> *New Behavior*
> h4. When configuration is NOT set
> The Secure flag is determined from the request:
> * HTTPS request → Secure = true
> * HTTP request → Secure = false
> h4. When configuration IS set
> The parameter overrides the default logic:
> * {{true}} → always Secure
> * {{false}} → never Secure
>
> ----
> h3. Backward Compatibility
> ⚠️ *Behavior change*
> Previously:
> * Secure flag was always set to {{true}}
> Now (if not configured):
> * Secure flag depends on request security
> Implications:
> * Deployments serving Knox over plain HTTP will now receive non-Secure
> cookies
> * Deployments relying on always-Secure cookies should explicitly set:
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
