The distributed SSO session store cookie (default name “saml-session”) is by default not set to be HTTP Only and there isn’t a property on the type ComponentSpace.Saml2.Bindings.CookieOptions that allows this to be overridden.
Is there are reason that the cookie has to be available to client-side JavaScript?
If not, could you advise if there’s a way of configuring this without manually re-writing the Set-Cookie header ourselves?
Support for setting HTTP Only was added in the current release (v2.0.6).
For example:
using ComponentSpace.Saml2.Bindings;
using ComponentSpace.Saml2.Configuration;
using ComponentSpace.Saml2.Session;
// Make the SAML session cookie HTTP only.
services.Configure(options =>
{
options.CookieOptions = new CookieOptions()
{
HttpOnly = true
};
});
// Add SAML SSO services.
services.AddSaml(Configuration.GetSection(“SAML”));
We’ll default to HTTP Only in the next release (v2.0.7).