nic-6443 commented on code in PR #13331: URL: https://github.com/apache/apisix/pull/13331#discussion_r3247311735
########## docs/en/latest/plugins/cas-auth.md: ########## @@ -64,7 +68,10 @@ curl http://127.0.0.1:9180/apisix/admin/routes/cas1 -H "X-API-KEY: $admin_key" - "cas-auth": { "idp_uri": "http://127.0.0.1:8080/realms/test/protocol/cas";, "cas_callback_uri": "/anything/cas_callback", - "logout_uri": "/anything/logout" + "logout_uri": "/anything/logout", + "cookie": { + "secret": "please-replace-with-a-32+-char-random-secret" Review Comment: This example still runs the protected route over `http://127.0.0.1`, but the new default is `cookie.secure=true`. Browsers will ignore both `CAS_REQUEST_URI` and `CAS_SESSION` when they are set with `Secure` over HTTP, so following this example would either fall back to `/` after login or fail to keep the session cookie. Can we either add `"secure": false` here for the local HTTP example, or switch the example to HTTPS? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
