Extend form auth cookie configuration #27609

dector · 2022-08-30T23:22:52Z

Suggested configurations:

Make cookie HttpOnly / add configuration option to force this.
- Why? Current cookie is not HttpOnly which is not a safe way of using session cookie.
- Workaround? Can you advice any? Is it possible intercept single endpoint response and modify it's cookies?
or Add ability to modify session cookie after it was created by injecting some mapper function and calling it on the cookie instance (e.g. I would love to use Secure as my application server is running behind the reverse proxy (Caddy <---http--> Quarkus)).

No response

The text was updated successfully, but these errors were encountered:

michalvavrik · 2022-09-05T11:53:03Z

I'll have a look provided no-one is working on this (?). Any preferences/requirements on impl. @sberyozkin ?

dector added the kind/enhancement New feature or request label Aug 30, 2022

quarkus-bot bot added the triage/needs-triage label Aug 30, 2022

sberyozkin added area/security and removed triage/needs-triage labels Aug 31, 2022

michalvavrik mentioned this issue Sep 10, 2022

Provide an option to set Form based auth encrypted cookie as HttpOnly #27853

Merged

sberyozkin closed this as completed in #27853 Sep 12, 2022

quarkus-bot bot added this to the 2.13 - main milestone Sep 12, 2022

Provide feedback