Jon Koops

We can add a migration for the cookie to `DefaultCookieProvider` so that all old-style cookies are automatically converted to the new format.

We do [know the client id](https://github.com/keycloak/keycloak/blob/049121f41e16ede587ef84d247078e24e16943d5/services/src/main/resources/org/keycloak/protocol/oidc/endpoints/login-status-iframe.html#L23) inside of the session status iframe, so if the cookie is pre/suffixed we can construct the name of the cookie from there.

Why would it be a problem that this cookie is exposed? We also expose the `KEYCLOAK_SESSION` cookie. Is that not security sensitive? I have to say in general the cookies...

> Looking at the BroadcastChannel implementation, I see that it is posting the message once. I could imagine that two tabs loading concurrently, with one tab not receiving the message...

Indeed. I do wonder what is causing this large amount of downloads. This has to be because popular libraries depend on `methods`. Unfortunately, the analytics on NPM are quite poor...

Perhaps a notice will suffice for now then. Would you like me to create a PR for it?

Putting this in as a draft as it seems the documenation tooling will need an update to make it compatible.

I am able to reproduce this on macOS if I run `./kc.sh start-dev` from the `bin` directory. If I use the root directory and run `./bin/kc.sh start-dev` it actually works...

We're seeing what appear to be false positives on our CI as well: https://github.com/keycloak/keycloak/actions/runs/12190763028/job/34008503162?pr=35684

Considering there has been a fix landed for 2 months now, would it be possible to get a patch release to get this out there?