[keycloak-dev] IE login in new session logs out the other user

[Stian Thorgersen]

Yes - it's only there as a marker for when the session is active and is
used by the session iframe to detect if the session is valid without having
to do a http request. For more details see the session management spec from
OpenID Connect.

On 16 December 2016 at 16:36, Michael Gerber <gerbermichi at me.com> wrote:

> Why is the KEYLOAK_SESSION cookie not an http only cookie? Is there a
> reason for that?
>
>
> On 16 Dec 2016, at 16:00, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> Use Chrome or Firefox ;)
>
> On 16 December 2016 at 15:44, Michael Gerber <gerbermichi at me.com> wrote:
>
>> That's true. It shares the cookie which does not have set httpOnly to
>> true.
>>
>> It's obviously an IE fail, however, I need a workaround for that :)
>> Do you have any idea how to solve this?
>>
>> Am 16. Dezember 2016 um 15:14 schrieb Stian Thorgersen <
>> sthorger at redhat.com>:
>>
>> ... Doesn't
>>
>> On 16 December 2016 at 15:13, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Does sound like IE actually creates a clean new session as it's sharing
>>> some cookies.
>>>
>>> On 16 December 2016 at 13:10, Michael Gerber <gerbermichi at me.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am using Windows 7 and Internet Explorer 11.
>>>>
>>>> IE can create a new window with a new session. It should be possible to
>>>> work with two different users in this two windows. However, the second
>>>> login logs the older user out, because of the KEYCLOAK_SESSION cookie which
>>>> is stored in the "C:\Users\{username}\AppData\R
>>>> oaming\Microsoft\Windows\Cookies" directory. The problem is, that this
>>>> cookie is not set to httpOnly.
>>>>
>>>> Is this a known bug? Or can I solve this problem?
>>>>
>>>> kind regards
>>>> Michael
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>>
>>
>