session 4.1. Can we use opbs with http (not httponly)

Issue #873 resolved
Former user created an issue

Regarding to the spec on openid-connect-session-1_0-15.html, it says "The OP iframe has access to Browser state at the OP (in a cookie or in HTML5 storage)".

I would like to confirm whether it is possible to access that cookie from javascript? My concern is about the security issue. Currently, all of the cookies used on my application is set as httponly cookies.

Comments (6)

  1. gffletch

    If using a Cookie to pass state information from the IdP to the i-frame, then the JS loaded into the i-frame must be able to read the cookie. Therefore, the IdP can NOT set the HttpOnly flag when writing the cookie. You can load the i-frame over SSL and then set the Secure flag.

  2. Former user Account Deleted

    Yes, that's reason I would confirm whether if it is possible to store the opbs on browser and what the opbs' value should be to avoid the security issue.

  3. Michael Jones

    We will say that if a cookie is used to maintain the OP browser state, that the HTTP-only flag likely can't be set for this cookie. Therefore, information that can be used for identifying the user should not be put into the cookie, as it could be read by unrelated JavaScript.

  4. Log in to comment