Continuing the discussion from Keycloak 9.0.0 - Cookies are not being sent with SameSite=None by the server:
I have a question about Keycloak’s cookies.
What kind of processing is done with the KEYCLOAK_IDENTITY and KEYCLOAK_SESSION cookies published by Keycloak?
I’m thinking of renaming these cookies so that Keycloak can’t use them.
I want to ignore Keycloak’s cookies because I want to give priority to the Apache session.
I am trying to use Keycloak and Apache (mod_auth_openidc) to authenticate users from the browser.
When someone log out, the session managed by Apache and the session managed by Keycloak are deleted.
When logging out, if the session managed by Apache is enabled and the session managed by Keycloak is disabled, Keycloak will cause a server error and will not redirect to the logout screen.
I am thinking of renaming Keycloak_IDENTITY and Keycloak_SESSION cookies published by Keycloak in Apache.
If I rename KEYCLOAK_IDENTITY and KEYCLOAK_SESSION and make them unavailable to Keycloak, I will not get a server error in Keyclawok when I log out.
How are KEYCLOAK_IDENTITY and KEYCLOAK_SESSION used in operations other than this logout?
Server error in Keycloak.
Uncaught server error: java.lang.IllegalStateException: Can’t add session: task in progress for session
Apache setting to rename Keycloak’s cookies.
Header edit Set-Cookie KEYCLOAK_SESSION_LEGACY KEYCLOAK_SESSION_LEGACY_DUMMY
Header edit Set-Cookie KEYCLOAK_IDENTITY_LEGACY KEYCLOAK_IDENTITY_LEGACY_DUMMY