[jira] [Commented] (KNOX-3254) Add configuration option to control Secure flag for pac4j session store cookies

Fri, 20 Feb 2026 03:33:09 -0800 


    [ 
https://issues.apache.org/jira/browse/KNOX-3254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18059891#comment-18059891
 ] 

ASF subversion and git services commented on KNOX-3254:
-------------------------------------------------------

Commit 79f0deb935d45eb8d8302ce0eed1ad08aa00a5c8 in knox's branch 
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=79f0deb93 ]

KNOX-3254 - Allow control the Secure flag in pac4j session cookies (#1148)



> Add configuration option to control Secure flag for pac4j session store 
> cookies
> -------------------------------------------------------------------------------
>
>                 Key: KNOX-3254
>                 URL: https://issues.apache.org/jira/browse/KNOX-3254
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 2.1.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> h3. Problem
> The {{KnoxSessionStore}} always sets the {{Secure}} flag on session cookies 
> regardless of whether the incoming request is HTTPS:
> {noformat}
> setCookieHeader.setSecure(true){noformat}
> This behavior prevents testing scenarios that run over HTTP (e.g., local 
> development, integration tests, CI environments) where secure cookies are not 
> accepted by browsers or HTTP clients.
> As a result, authentication flows using pac4j session cookies cannot be 
> tested properly in non-HTTPS environments.
> ----
> h3. Proposed Improvement
> Introduce a configurable parameter:
> {noformat}
> pac4j.session.store.secure.cookie{noformat}
> When present, this parameter explicitly controls whether the {{Secure}} 
> attribute is set on session cookies.
>  
> *New Behavior*
> h4. When configuration is NOT set
> The Secure flag is determined from the request:
>  * HTTPS request → Secure = true
>  * HTTP request → Secure = false
> h4. When configuration IS set
> The parameter overrides the default logic:
>  * {{true}} → always Secure
>  * {{false}} → never Secure
>  
> ----
> h3. Backward Compatibility
> ⚠️ *Behavior change*
> Previously:
>  * Secure flag was always set to {{true}}
> Now (if not configured):
>  * Secure flag depends on request security
> Implications:
>  * Deployments serving Knox over plain HTTP will now receive non-Secure 
> cookies
>  * Deployments relying on always-Secure cookies should explicitly set:



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to