Keycloak creates an extra AUTH_SESSION_ID cookie with a path of "/auth" when logging in

Question

The Keycloak server sends what appears to be an extra AUTH_SESSION_ID cookie with a path value of "/auth" when logging into the console.

I am running Keycloak 3.4.3 Final, Standalone HA configuration on Windows 2016 servers which sit behind an F5 load balancer.

When this cookie appears in the browser and the user logs in/out of the console without closing the browser, it will eventually lead to Keycloak prompting the user with a warning "You took too long to login. Login process starting from beginning." After the user logs in for the second time, occasionally, the browser will hit a "Too Many Redirects" error and fail to open the console.

Is Keycloak supposed to create two AUTH_SESSION_ID cookies, one with a path of "/auth" and the other with a path of my realm ("/auth/realms/xxxx")?

How are these symptoms related?

Answer 1

The answer is no, we should not get two AUTH_SESSION_ID cookies.

Thanks to Martin Kanis and the RedHat team as they identified why this was happening. If you are using F5 or another load balancer and not the mod_cluster balancer, you should not include the following setup in your configuration:

<session-cookie name="AUTH_SESSION_ID" http-only="true" />

They are going to update the Keycloak documentation and make this point clear.