[keycloak-dev] browser refresh and back button issues
Stian Thorgersen
sthorger at redhat.com
Wed Oct 14 13:20:52 EDT 2015
I think a) is ok, but not the ideal.
b) however is problematic IMO. In the case of required actions, why not
just display the next required action associated with the user? That would
be the equivalent of a.
There's also another bug related to this which is that if you try to change
the language on a page in the middle of the auth flow it blows up.
On 14 October 2015 at 18:58, Bill Burke <bburke at redhat.com> wrote:
> I've been looking into a couple of "browser refresh" bugs. Currently,
> if an HTTP request to the auth flow spi did not match the state of the
> client session you would
>
> a) have the flow reset if you were currently in the process of
> authenticating
> b) Show an error screen if you aren't currently authenticating (i.e.
> performing required actions)
>
> Now I remember why I did it this way. It is impossible to detect the
> difference between a browser refresh and somebody hitting the back
> button and resubmitting a previous form. Hitting "browser refresh" will
> resubmit any previous form POST. So, you have no idea if the user is
> refreshing the current page or resubmitting after a browser back button.
>
> So, I think it is best to keep things the way it is now. Thoughts?
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151014/09bd2af0/attachment.html
More information about the keycloak-dev
mailing list