Meaning of RH-SSO / Keycloak cookies and handling secure and HttpOnly flags

Solution Verified - Updated -

Issue

  • Need to know meanings of the cookies AUTH_SESSION_ID, KC_RESTART, KEYCLOAK_IDENTITY, KEYCLOAK_SESSION, KEYCLOAK_REMEMBER_ME
  • When the cookie AUTH_SESSION_ID is issued and deleted?
  • Are Keycloak cookies marked with HttpOnly ?
  • All keycloak cookies are not Secured, how to secure them all ?
  • Are keycloak cookies vulnerable to security attacks ?
  • When the browser or the mobile application is closed, the KEYCLOAK_IDENTITY cookie. How to make KEYCLOAK_IDENTITY a persistent cookie ?

Environment

  • Red Hat Single Sign-On (RH-SSO)
    • 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content