[keycloak-dev] timeouts

[Bill Burke]

Was thinking about this more and I think it might be ok to have a 
session cookie that has all the initial information needed to restore 
the client session and restart the login without having to redirect back 
to the client.  The session cookie would match up against the code query 
param that is passed around.  This would probably be good enough 
protection.  Only thing an attacker would be able to do is restart the 
login.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com