[
https://issues.apache.org/jira/browse/KNOX-3254?focusedWorklogId=1006052&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1006052
]
ASF GitHub Bot logged work on KNOX-3254:
----------------------------------------
Author: ASF GitHub Bot
Created on: 19/Feb/26 09:42
Start Date: 19/Feb/26 09:42
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #1148:
URL: https://github.com/apache/knox/pull/1148
[KNOX-3254](https://issues.apache.org/jira/browse/KNOX-3254) - Control the
`Secure` flag in Pac4j session cookies
## What changes were proposed in this pull request?
This PR introduces a new configuration parameter:
```
pac4j.session.store.secure.cookie
```
to control whether cookies created by KnoxSessionStore are marked as Secure.
Previously, cookies were always marked Secure, regardless of request type.
The new default behavior determines the Secure flag based on the request
security (HTTPS vs HTTP), with an option to override via configuration.
Configuration | Request | Secure flag
Issue Time Tracking
-------------------
Worklog Id: (was: 1006052)
Remaining Estimate: 0h
Time Spent: 10m
> Add configuration option to control Secure flag for pac4j session store
> cookies
> -------------------------------------------------------------------------------
>
> Key: KNOX-3254
> URL: https://issues.apache.org/jira/browse/KNOX-3254
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 2.1.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> h3. Problem
> The {{KnoxSessionStore}} always sets the {{Secure}} flag on session cookies
> regardless of whether the incoming request is HTTPS:
> {noformat}
> setCookieHeader.setSecure(true){noformat}
> This behavior prevents testing scenarios that run over HTTP (e.g., local
> development, integration tests, CI environments) where secure cookies are not
> accepted by browsers or HTTP clients.
> As a result, authentication flows using pac4j session cookies cannot be
> tested properly in non-HTTPS environments.
> ----
> h3. Proposed Improvement
> Introduce a configurable parameter:
> {noformat}
> pac4j.session.store.secure.cookie{noformat}
> When present, this parameter explicitly controls whether the {{Secure}}
> attribute is set on session cookies.
>
> *New Behavior*
> h4. When configuration is NOT set
> The Secure flag is determined from the request:
> * HTTPS request → Secure = true
> * HTTP request → Secure = false
> h4. When configuration IS set
> The parameter overrides the default logic:
> * {{true}} → always Secure
> * {{false}} → never Secure
>
> ----
> h3. Backward Compatibility
> ⚠️ *Behavior change*
> Previously:
> * Secure flag was always set to {{true}}
> Now (if not configured):
> * Secure flag depends on request security
> Implications:
> * Deployments serving Knox over plain HTTP will now receive non-Secure
> cookies
> * Deployments relying on always-Secure cookies should explicitly set:
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
