Cookie Security

adamzr · March 24, 2021, 4:11pm

While going through pen tests and security scans, I have gotten warnings about several Keycloak cookies:

The first 2 that they didn’t have SameSite set, the last one that it didn’t have Secure set.

I have a few questions:

What is each of these cookies for? I’ve looked in the docs for a guide to cookies set by Keycloak, but I could not find any. I want to understand what each one does.
I have Keycloak on the same origin as the application it is protecting and I have HTTPS on both. Can I change something to set the SameSite flag? Can I change something to make it so that Secure is always set?

Thanks!

Topic		Replies	Views
How to set the secure flag for cookie KEYCLOAK_SESSION	2	7633	September 28, 2021
Keycloak 9.0.0 - Cookies are not being sent with SameSite=None by the server Configuring the server admin-console , authentication	5	8264	August 10, 2020
Kc_session Secure flag	0	749	December 10, 2021
Cookie secure flag not applied using "external requests" in "SSL required" parameter Getting advice	0	379	June 7, 2022
Firefox 92 and admin console: "Cookie will be soon rejected" Configuring the server admin-console	0	803	September 29, 2021