HI All, Looks like it’s hard coded to set the httpOnly flag (https://github.com/apache/knox/blob/bc6683f4e67f1c1904a82b4d488293124f565e26/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java#L331 <https://github.com/apache/knox/blob/bc6683f4e67f1c1904a82b4d488293124f565e26/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java#L331>); I’m curious why is this not configurable? Is it a security issue or was this just not something that was considered as needing to be configurable?
Regards, Christopher Jackson > On Jul 20, 2018, at 7:09 PM, Christopher Jackson > <jackson.christopher....@gmail.com> wrote: > > Hi All, > > Wondering if it’s possible to issue the Knox JWT cookie (created via > SSOCookieProvider) without having the httpOnly flag set? I could not find any > such configuration in the docs. > > We would like to read the user information from the JWT via the ’sub’ field > in javascript code, seems httpOnly cookies are not available to JS. > > Regards, > > Christopher Jackson