I have keycloak 17 running in aws ec2 instance and that is integrated with my application. I’m using nginx as reverse proxy for keycloak and my application.
If i login to my application in the network tab of browser i can able to see one api .
authenticate?session_code=Wdb3Yvw-3wGFk0&execution=-9b6d-9a71fbhdg7faab9&client_id=realm&tab_id=dijir0ddr
In the headers tab, if i navigate to request header there cookie attribute is present with some value as:
Cookie: AUTH_SESSION_ID=cd3-445-82b8.ip-19-16-0-***-***; AUTH_SESSION_ID_LEGACY=cd3-445-82b8.ip-19-16-0-***-***;
In the above cookie my private ip is visible. Is there any way to configure this. And why this auth_session_id is taking private ip. How to disable this ip disclosure in browser ? Can anybody help me to configure this.
Hi I faced the same issue, due you got any solution?
Keycloak does NOT disclose the private IP of the node. The cookie value is of format <session-id>.<owner-node-id>, so what you think is the private IP, is actually the private/internal node-id/-name.
I guess you run your environment in AWS and the internal node names of EC2 instances is built-up using the IP address. So this is not Keycloak’s “fault”, but rather in scope of AWS.
You can disable the internal node-id attachment in the cookie value by setting the config property spi-sticky-session-encoder-infinispan-should-attach-route to the value false.
See also
Hi,
“I’ve encountered a security concern with session management in my application. The AUTH_SESSION_ID cookie retains the same value pre and post-authentication. This persistent session ID could potentially expose users to session fixation attacks, where an attacker could hijack a legitimate session by setting a known session ID in a victim’s browser.”
Please don’t hijack threads with different topics. Just because it’s the same cookie you are referring, this is not related to this topic.
Additionally, if you feel you encountered a security issue, report it properly to the team/project, as mentioned on the projects page.
Thanks.