Hi Christopher - Yes, it is a security issue to allow arbitrary JS to access a cookie that represents the user's authentication and identity. It certainly wouldn't be hard to make it configurable but you would have to be sure to understand all of the implications of turning that off and it would not be the default setting.
thanks, --larry On Fri, Jul 20, 2018 at 9:23 PM, Christopher Jackson < [email protected]> wrote: > HI All, > > Looks like it’s hard coded to set the httpOnly flag ( > https://github.com/apache/knox/blob/bc6683f4e67f1c1904a82b4d488293 > 124f565e26/gateway-service-knoxsso/src/main/java/org/ > apache/knox/gateway/service/knoxsso/WebSSOResource.java#L331); I’m > curious why is this not configurable? Is it a security issue or was this > just not something that was considered as needing to be configurable? > > Regards, > > Christopher Jackson > > > On Jul 20, 2018, at 7:09 PM, Christopher Jackson <jackson.christopher.lee@ > gmail.com> wrote: > > Hi All, > > Wondering if it’s possible to issue the Knox JWT cookie (created via > SSOCookieProvider) without having the httpOnly flag set? I could not find > any such configuration in the docs. > > We would like to read the user information from the JWT via the ’sub’ > field in javascript code, seems httpOnly cookies are not available to JS. > > Regards, > > Christopher Jackson > > >
