<div dir="ltr">The action key was introduced in the whole days when we didn't have any state on the server that was aware where the flow was. Now that we have a clear state on the server that is fully aware of where in a flow a user is it shouldn't be required any more, and as long as the flow manager puts it in the correct state there's nothing that a user can do to try to jump back/forward in the flow.</div><div class="gmail_extra"><br><div class="gmail_quote">On 27 January 2016 at 08:11, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">+1 to restart the flow entirely when back button is pressed in any stage<br>
(either authenticator or required actions screen). Or maybe even drop<br>
the ClientSession entirely and redirect back to the application?<br>
<br>
Once we use this "must-revalidate" header, I hope we can detect that<br>
request was triggered by back button. Maybe we will need to maintain all<br>
previously used action keys on ClientSessionModel, so we are clearly<br>
able to detect that request was triggered by back button?<br>
<br>
Note that I am not usability expert and I am not sure what is best<br>
practice regarding back button and usability. But redirect back to the<br>
application looks like most clear way to me.<br>
<span class="HOEnZb"><font color="#888888"><br>
Marek<br>
</font></span><span class="im HOEnZb"><br>
On 26/01/16 23:36, Bill Burke wrote:<br>
> The current thinking for browser back button is to set:<br>
><br>
> Cache-Control: no-store, must-revalidate, max-age=0<br>
><br>
> There are possible security issues with this that I don't know if we<br>
> should do this or not. Don't know if you remember how ClientSessionCode<br>
> works, it uses a hash of the client session id and the action key<br>
> currently stored in the. When you switch from authentication to<br>
> required actions, the action key changes. Now, if you hit the back<br>
> button on a required action page, it would take you back to an<br>
> authentication screen. The code check would fail because the action<br>
> keys don't match.<br>
><br>
> Do we actually need this action key stuff? Can we just let the flow<br>
> manager put the browser in the correct state? So if an "authenticate"<br>
> url is hit and the flow is on required actions, just redirect to the<br>
> required actions URL. I just worry that this is some sort of security<br>
> hole somehow. Maybe we're better off just reseting and restarting the<br>
> flow entirely.<br>
><br>
<br>
</span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</div></div></blockquote></div><br></div>