smolnar82 opened a new pull request, #1148: URL: https://github.com/apache/knox/pull/1148
[KNOX-3254](https://issues.apache.org/jira/browse/KNOX-3254) - Control the `Secure` flag in Pac4j session cookies ## What changes were proposed in this pull request? This PR introduces a new configuration parameter: ``` pac4j.session.store.secure.cookie ``` to control whether cookies created by KnoxSessionStore are marked as Secure. Previously, cookies were always marked Secure, regardless of request type. The new default behavior determines the Secure flag based on the request security (HTTPS vs HTTP), with an option to override via configuration. Configuration | Request | Secure flag -- | -- | -- Not set | HTTP | false Not set | HTTPS | true false | HTTP | false false | HTTPS | false true | HTTP | true true | HTTPS | true **Motivation** - Enables testing and development over HTTP - Supports CI pipelines without TLS - Improves behavior behind reverse proxies - Provides explicit control for administrators ## How was this patch tested? Added unit test cases to cover the new behavior. I also tested E2E SSO/SAML flow in k8s environments using plain HTTP, which, without this change, wasn't possible before. ## Integration Tests N/A ## UI changes N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
