setCookie always sets an encoded value in authentication scripts

[rksk]

Even if we disable "sign" and "encrypt" as below

setCookie(context.response, "name1", "value1", {"expires" : "session",
                                            "path" : "/",
                                            "httpOnly" : false,
                                            "hostOnly" : false,
                                            "secure" : false,
                                            "encrypt" : false,
                                            "sign" : false});

The cookie sent to the browser has the following format base64encode({"signature": null,"value": "value1"})

Suggestions

• Update the doc [1] to describe the cookie format to avoid confusion when observing the cookies from a browser
• Consider about setting the plain text or encrypted value of the cookie to the browser when "sign" is false.

[1] https://docs.wso2.com/display/IS570/Adaptive+Authentication+JS+API+Reference#AdaptiveAuthenticationJSAPIReference-setCookie(response,name,value,properties)

[senthalan]

I have created https://github.com/wso2/product-is/issues/5758 to track the 2nd suggestion

[ruwanta]

In the documentation please add the following.

1. The cookie is only interpreted by Identity server.
2. Please do not make any assumption about the cookie value or format.
3. Please do not access the cookie with front end Javascript.