[jira] [Work logged] (KNOX-3254) Add configuration option to control Secure flag for pac4j session store cookies

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-3254?focusedWorklogId=1006338&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1006338
 ]

ASF GitHub Bot logged work on KNOX-3254:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 20/Feb/26 11:32
            Start Date: 20/Feb/26 11:32
    Worklog Time Spent: 10m 
      Work Description: smolnar82 merged PR #1148:
URL: https://github.com/apache/knox/pull/1148




Issue Time Tracking
-------------------

    Worklog Id:     (was: 1006338)
    Time Spent: 20m  (was: 10m)

> Add configuration option to control Secure flag for pac4j session store 
> cookies
> -------------------------------------------------------------------------------
>
>                 Key: KNOX-3254
>                 URL: https://issues.apache.org/jira/browse/KNOX-3254
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 2.1.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> h3. Problem
> The {{KnoxSessionStore}} always sets the {{Secure}} flag on session cookies 
> regardless of whether the incoming request is HTTPS:
> {noformat}
> setCookieHeader.setSecure(true){noformat}
> This behavior prevents testing scenarios that run over HTTP (e.g., local 
> development, integration tests, CI environments) where secure cookies are not 
> accepted by browsers or HTTP clients.
> As a result, authentication flows using pac4j session cookies cannot be 
> tested properly in non-HTTPS environments.
> ----
> h3. Proposed Improvement
> Introduce a configurable parameter:
> {noformat}
> pac4j.session.store.secure.cookie{noformat}
> When present, this parameter explicitly controls whether the {{Secure}} 
> attribute is set on session cookies.
>  
> *New Behavior*
> h4. When configuration is NOT set
> The Secure flag is determined from the request:
>  * HTTPS request → Secure = true
>  * HTTP request → Secure = false
> h4. When configuration IS set
> The parameter overrides the default logic:
>  * {{true}} → always Secure
>  * {{false}} → never Secure
>  
> ----
> h3. Backward Compatibility
> ⚠️ *Behavior change*
> Previously:
>  * Secure flag was always set to {{true}}
> Now (if not configured):
>  * Secure flag depends on request security
> Implications:
>  * Deployments serving Knox over plain HTTP will now receive non-Secure 
> cookies
>  * Deployments relying on always-Secure cookies should explicitly set:



--
This message was sent by Atlassian Jira
(v8.20.10#820010)