-
- Downloads
[KEYCLOAK-10668] Do not set the cookie domain
By setting the domain attribute on the cookie we were allowing the cookie to be applied to subdomains where it may not be valid and may interfere with other services protected by keycloak-gatekeeper. (For example, a gatekeeper running on https://domain.com could break a gatekeeper running on https://sub.domain.com .) Instead, we should simply not set the attribute unless there is a specific domain configured. For more information please see section 4.1.2.3 of [RFC 6265]. [RFC 6265]: https://tools.ietf.org/html/rfc6265#section-4.1.2
Please register or sign in to comment