<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 13px; font-family: Arial, sans-serif;"><div><div>Hi guys,</div><div><br></div><div>We're connecting Magento with Keycloak, and the SID is regenerated after every change of the login status to prevent session fixation attacks where attackers might be able to enforce a session id or observe a session id prior to authentication and can later access useraccounts by requesting private resources using these session ids.</div><div><br></div><div>SID refreshs are a common way to prevent this kind of issues and to ensure that no old SID's are leaked and cannot be enforced or predicted.</div><div><br></div><div><br></div><div>Regards, Bastian</div></div><div><br></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Lucida Grande; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">Von: </span> Marek Posolda <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>><br><span style="font-weight:bold">Datum: </span> Mon, 30 Mar 2015 23:00:03 +0200<br><span style="font-weight:bold">An: </span> Sebastian Rose <<a href="mailto:sebastian.rose@aoe.com">sebastian.rose@aoe.com</a>>, "<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>" <<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>><br><span style="font-weight:bold">Betreff: </span> Re: [keycloak-dev] application session state update<br></div><div><br></div><div>
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 27.3.2015 17:22, Sebastian Rose
wrote:<br>
</div>
<blockquote cite="mid:1B725C3C52B62D42A8A766BB4EFFCA2C43CECE8FF8@srv-mail01.aoemedia.lan" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi everyone,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The endpoint
/auth/realms/<realm>/protocol/openid-connect/access/codes
has a parameter for the session id of a secured application
(adapters use it): application_session_state. The Endpoint
/auth/realms/<realm>/protocol/openid-connect/refresh has
not. At least this is what i saw within the code. Sorry, if
it's there.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We have integrated our own application a la
adapter, using these two url's and it's working fine. Our
application completes the login via the first endpoint and
changes it's session id after the successful login. This means
when a logout event is send to our application, the old
session id is used.</p>
</div>
</blockquote>
So you're not using servlet API but something completely different?
Which framework are you using? Just curious about your usecase as in
normal servlet application the HttpSession ID is same for the whole
life of user interaction and doesn't need to be changed after
authentication (or during refresh).<br>
<br>
Marek<br>
<blockquote cite="mid:1B725C3C52B62D42A8A766BB4EFFCA2C43CECE8FF8@srv-mail01.aoemedia.lan" type="cite">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So i'm asking if it makes sense to you to
have the same parameter for the refresh-url to cover our
requirement or to integrate an application_session_state
update endpoint to add/delete/update additional/new session
id's.</p>
</div>
</blockquote>
<blockquote cite="mid:1B725C3C52B62D42A8A766BB4EFFCA2C43CECE8FF8@srv-mail01.aoemedia.lan" type="cite">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best Regrads<o:p></o:p></p>
<p class="MsoNormal">Sebastian<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-fareast-language:DE"><o:p> </o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-fareast-language:DE"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div></div></span></body></html>