Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie Processor Configuration - Names, attributes, etc #1414

Open
robotdan opened this issue Sep 28, 2021 · 0 comments
Open

Cookie Processor Configuration - Names, attributes, etc #1414

robotdan opened this issue Sep 28, 2021 · 0 comments
Labels
feature

Comments

@robotdan
Copy link
Member

robotdan commented Sep 28, 2021
edited by jobannon
Loading

Cookie Processor Configuration - Names, attributes, etc

Problem

FusionAuth uses a number of cookies. The cookie names are hard coded, and the cookies attribute forSameSite while configurable, is not configurable per cookie. (see fusionauth-app.http.cookie-same-site-policy in configuration)

Current cookies, may not be exhaustive:

  • access_token
  • fusionauth.csrf
  • fusionauth.flash-message
  • fusionauth.locale
  • fusionauth.pkce-verifier
  • fusionauth.remember-device
  • fusionauth.session
  • fusionauth.sso
  • fusionauth.timezone
  • fusionauth.trust
  • refresh_token

Some legacy SAML v2 configuration by design uses cross site POST requests. A cookie will not be sent along with this type of request unless the SameSite=None is configured. While not recommended, you could configure this to be None - but it would be global to FusionAuth, instead of just for the fusionauth.sso cookie. This is just one example where it may be useful to modify the SameSite attribute per cookie.

There may be other use cases where an end user wishes to rename a cookie to better suite their integration.

It is also becoming more critical to be able to disable Functional cookies that are not classified as Necessary. While most of these cookies will be classified as Necessary - it is possible that one ore more could be configured to be disabled to help clients deal with GDPR and similar regulation.

Solution

We could add a cookie processor with an exposed configuration to allow cookies to be renamed, and optionally use a specific SameSite policy etc.

  • Allow cookie rename
  • Allow per cookie attributes such as SameSite
  • Allow functional cookies (not Necessary) to be disabled

Alternatives/workarounds

Deal with it.

Related issues

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@robotdan