[keycloak-dev] timeouts

[Bill Burke]

I implemented this as a JWS with hmac256 of the realm's secret code.  It 
stores the client session as json based on whatever it is at the start 
of authentication process.  This is about 700 bytes in size.  combine 
this with our other cookies, I think we are still well below the 4k max 
on per domain total cookie size.

You will also get a message "You took too long to login.  Login process 
starting from beginning."

I know some people were complaining that you have to enter in your 
username/password twice, but IMO, there's no way around this at this 
time without reworking the auth spi significantly.  I'm not sure if it 
is even possible yet.

On 7/24/2015 3:14 AM, Stian Thorgersen wrote:
> +1 I can't see why basically just saving the initial request from the client is a problem - sounds like it would be a proper solution to the problem
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 23 July, 2015 5:16:23 PM
>> Subject: [keycloak-dev] timeouts
>>
>> Was thinking about this more and I think it might be ok to have a
>> session cookie that has all the initial information needed to restore
>> the client session and restart the login without having to redirect back
>> to the client.  The session cookie would match up against the code query
>> param that is passed around.  This would probably be good enough
>> protection.  Only thing an attacker would be able to do is restart the
>> login.
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com