While going through pen tests and security scans, I have gotten warnings about several Keycloak cookies:
- AUTH_SESSION_ID_LEGACY
- KC_RESTART
- AUTH_SESSION_ID
The first 2 that they didn’t have SameSite set, the last one that it didn’t have Secure set.
I have a few questions:
- What is each of these cookies for? I’ve looked in the docs for a guide to cookies set by Keycloak, but I could not find any. I want to understand what each one does.
- I have Keycloak on the same origin as the application it is protecting and I have HTTPS on both. Can I change something to set the SameSite flag? Can I change something to make it so that Secure is always set?
Thanks!