How to change from SameSite=none to SameSite=Lax in KEYCLOAK_SESSION cookie?

[Kailas Nath K. V]

I am using keycloak 12 for authentication in our project. There are some cookies set by keycloak by default.
One of the cookie KEYCLOAK_SESSION is having attribute Samesite and it’s value is coming as “None” with Secure flag, wanted to change the Samesite attribute value to “lax” or “strict”.

Can anyone please help to find out a solution.

ORIGINAL POST :  https://keycloak.discourse.group/t/how-to-change-from-samesite-none-to-samesite-lax-in-keycloak-session-cookie/13615?u=kailasnathmca

[Václav Muzikář]

Hello, currently it is not possible to change the SameSite settings. That is because the JS adapter requires it to be able to properly work. That cookie, however, does not contain any security sensitive data, it just shows whether a session exists or not. The real authentication cookie (KEYCLOAK_IDENTITY) that contains sensitive data does NOT use SameSite=None.

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/3be8a353-c81e-45cc-890a-78913587af88n%40googlegroups.com.

--

Václav Muzikář
Senior Software Engineer
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.

[Ievgen Mykolenko]

Hi there,

Just tested with Keycloak 16 I observe that KEYCLOAK_IDENTITY uses SameSite=None.

Did you manage to make it use SameSite=Lax?

Please, see screenshot.

[Vinod Kumar]

Hi,

My query is similar. We are upgrading Keycloak from V17 to latest quarkus Version22. We are not able to set the Keycloak_session cookie to http_only, due to usage of Keycloak iframe functionality. Do we have similar restriction in latest Keycloak version 22?

Regards
Vinod.