[
https://issues.apache.org/jira/browse/KNOX-933?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16006298#comment-16006298
]
Larry McCay commented on KNOX-933:
----------------------------------
Hi [~kpandey] - thanks for this patch!
I think that we should probably make the setting of the Secure flag
configurable from the topology.
Consider a param to the picketlink provider params for something like
original.url.cookie.secure and default it to true.
Then inside the addCookie method of CaptureOriginalURLFilter you will just test
the value of this param from the initparms that were interrogated inside the
init method.
This will allow the cookie to be presented by the browser in dev environments
where SSL needs to be disabled.
> PicketLink Provider must set Secure and HTTPOnly flags on Cookie
> ----------------------------------------------------------------
>
> Key: KNOX-933
> URL: https://issues.apache.org/jira/browse/KNOX-933
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Reporter: Larry McCay
> Assignee: Krishna Pandey
> Labels: KIP-7
> Fix For: 0.13.0
>
> Attachments: KNOX-933_master_v1.patch
>
>
> The provider creates a cookie in CaptureOriginalURLFilter.java at line 68,
> but fails to set the HttpOnly and Secure flags to true.
> This provider is not really supported anymore and isn't even documented but
> we should make sure that all cookies have HttpOnly and Secure flags set. We
> should separately consider deprecating and removing this provider.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
