Opendistro 1.10 breaking change - need more information

Hi,
I am currently using opendistro-security 1.9.0.0 plugins with ELK 7.8.0 and planning to update to the latest 1.13.x plugins. Going through the changelogs of all intermediate releases, I face difficulty in understanding one change in 1.10.

Opendistro version 1.10.0 release notes mention a breaking change in kibana - and so the upgrade guide suggests to add the foll. parameter in kibana.yml when upgrading from previous versions -

opendistro_security.cookie.secure: false

The change was made in in this commit, however since the mentioned issue link https://github.com/opendistro-for-elasticsearch/opendistro-infra/issues/251 is broken now, I can’t understand the reason of the change.

  1. Can the correct issue link be shared where this change (& its reason) is explained?
  2. Does this change mean that :
    if kibana runs on HTTP, the parameter opendistro_security.cookie.secure should be set to false and
    if kibana runs on HTTPS, the parameter opendistro_security.cookie.secure should be set to true ?
  3. What would be the default value of opendistro_security.cookie.secure if not set in kibana.yml?

Any pointers would be appreciated.
Thanks!

Any updates on the above query? Thanks!

@shivani

opendistro_security.cookie.secure setting is used to instruct the security plugin whether to send the cookie over unencrypted network or not.

In other words, if opendistro_security.cookie.secure is set to true, the cookie will only be sent if TLS is used (i.e. kibana is set up with https).

Default is false.

Hope this helps