We have 3 apps: Client (React/SPA), API (ASP.NET CORE 3.1), and Auth (ASP.NET CORE 3.1 with IdentityServer 4).
Fairly recently, the app is starting to constantly do what appears to be a silent renew. As soon as the client app loads, I can see in the network tab that it immediately hits the authorize endpoint on the identity server, then I see the silent renew page load in an iframe on the app, then it hits the token endpoint on the identity server, then userinfo, and it just keeps cycling through this sequence - just never stops. Over an over. We use redux-oidc, which runs over oidc-client, and I can see within the console that this isn't being done or handled by redux-oidc. I can also see when handling events on the usermnanager that my token isn't expiring, so it doesn't appear to be kicking this off either. We have on our identity server samesite=none with the secure attribute too for cookies that come out of there as well, as I thought that might be the problem, but this is still occurring.
Is there something else we should be looking at? And why would this have all of a sudden recently started happening - we even backed our code out to a version from over a month ago, and the problem still occurs, so we're not aware of any code changes we did that could cause this as this just started happening within the last week I believe.
HttpOnly is a flag added to cookies that tell the browser not to display the cookie through client-side scripts. When you set a cookie with the HttpOnly flag, it informs the browser that this special cookie should only be accessed by the server.
But that cookie is required by the OIDC session management spec for JS/SPA clients. If you change it, you will break those types of clients. This is by design, check the spec https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification
So you are good as is no need to set HttpOnly to true.