brockallen
commented
9 years ago Yes, good idea. We don't have time to add a new feature such as this, but you you can submit a PR and we can review. Thx.
Open hansarnevartdal opened 9 years ago
brockallen
commented
9 years ago Yes, good idea. We don't have time to add a new feature such as this, but you you can submit a PR and we can review. Thx.
hansarnevartdal
commented
9 years ago Added this a while back https://github.com/thinktecture/Thinktecture.IdentityServer.v2/pull/814 , but now I am thinking it should be looked at with the Global.DisableSSL flag. Then again i think the DisableSSL should follow the cookie handler settings.
A IdSrv requireing SSL for cookies, but not for its endpoints make little sense for me. Is there a case for disabling secure cookies, still using SSL?
Using my PR we would still have to disable SSL two places, so i would probably just set the DisableSSL flag based on the same cookie handler settings as well.
DisableSSL = SystemIdentityModelServicesSection.DefaultFederationConfigurationElement.CookieHandler.RequireSsl;
In the SignInSessionsManager.cs the cookie containing global sign out endpoints is written (hard coded) as secure. To set up IdSrv v2 for http in dev/test-env's, it would be preferable if this cookie follows the settings of the idsrvauth cookie in identityServices.config:
federationConfiguration -> cookieHandler -> requireSsl -> true/false
Edit: I realize that this is not needed behind a LB/proxy terminating SSL, but i believe the two cookies should follow the same secureity settings, enabling running on http in devlopment and test.