[keycloak-dev] timeouts
Bill Burke
bburke at redhat.com
Thu Jul 23 11:16:23 EDT 2015
Was thinking about this more and I think it might be ok to have a
session cookie that has all the initial information needed to restore
the client session and restart the login without having to redirect back
to the client. The session cookie would match up against the code query
param that is passed around. This would probably be good enough
protection. Only thing an attacker would be able to do is restart the
login.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list