Kc_session Secure flag


I set in realm configuration Require SSL: all requests, and all Keycloak cookies now have Secure flag, except kc_session cookie.

I found here: [keycloak-user] Set-Cookie is missing 'Secure' and 'HttpOnly' flags that:

KEYCLOAK_SESSION cookie is not marked HttpOnly and is used by our iframe to detect if the user is logged in still

Is “kc_session” name of “KEYCLOAK_SESSION” cookie?
“kc_session” isn’t marked with Secure flag, as it is necessary to iframe?

Keycloak version 15.0.2

1 Like