session 4.1. Can we use opbs with http (not httponly)
Regarding to the spec on openid-connect-session-1_0-15.html, it says "The OP iframe has access to Browser state at the OP (in a cookie or in HTML5 storage)".
I would like to confirm whether it is possible to access that cookie from javascript? My concern is about the security issue. Currently, all of the cookies used on my application is set as httponly cookies.
Comments (6)
-
-
Account Deleted Yes, that's reason I would confirm whether if it is possible to store the opbs on browser and what the opbs' value should be to avoid the security issue.
-
Could someone please propose specific text for the spec about this issue? George, perhaps?
-
-
assigned issue to
We will say that if a cookie is used to maintain the OP browser state, that the HTTP-only flag likely can't be set for this cookie. Therefore, information that can be used for identifying the user should not be put into the cookie, as it could be read by unrelated JavaScript.
-
assigned issue to
-
Account Deleted I totally agree with this text. Thank you Michael!
-
- changed status to resolved
Fixed
#873- Clarified that the HttpOnly flag can't be set for cookies used to maintain OP browser state.→ <<cset 5b6f55c8aeeb>>
- Log in to comment
If using a Cookie to pass state information from the IdP to the i-frame, then the JS loaded into the i-frame must be able to read the cookie. Therefore, the IdP can NOT set the HttpOnly flag when writing the cookie. You can load the i-frame over SSL and then set the Secure flag.