I was going through Keycloak cookies, and specifically on KC_RESTART. While reading on link : Keycloak Authentication flow found that KC_RESTART will be used to re-create authentication flow when browser root session is expired.

I was wondering how keycloak is validating this cookie. So after session out(which i set through keycloak admin console: SSO Session Idle) i tried to modify KC_RESTART cookie before accessing authenticated API and still it returned with 200 OK response.

Which means this cookie was not getting validated.

Can anyone guide if my understanding is correct. If this is not correct way to test then please tell me how to test if Keycloak is validating this cookie.

And if this cookie is not getting used then how to disable it?

It seems that there are no validation for KC_RESTART, modification of algorithm to none, or changing the signature seem to have no adverse affect.

Code reference

Community poll

is it an expected behaviour?