<p dir="ltr">I personally am very used to expecting web sites to just work if I do a back button followed by a forward button. If content of my forms disappears during back-forward combo, or consequent action fails with strange error I'm always annoyed by it. I know that there is a technical reason behind it not working but some sites do this right. So in principle I'm against backbutton automatically forgetting the session, and making me start from scratch.</p>
<div class="gmail_quote">On Jan 27, 2016 8:12 AM, "Marek Posolda" <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">+1 to restart the flow entirely when back button is pressed in any stage<br>
(either authenticator or required actions screen). Or maybe even drop<br>
the ClientSession entirely and redirect back to the application?<br>
<br>
Once we use this "must-revalidate" header, I hope we can detect that<br>
request was triggered by back button. Maybe we will need to maintain all<br>
previously used action keys on ClientSessionModel, so we are clearly<br>
able to detect that request was triggered by back button?<br>
<br>
Note that I am not usability expert and I am not sure what is best<br>
practice regarding back button and usability. But redirect back to the<br>
application looks like most clear way to me.<br>
<br>
Marek<br>
<br>
On 26/01/16 23:36, Bill Burke wrote:<br>
> The current thinking for browser back button is to set:<br>
><br>
> Cache-Control: no-store, must-revalidate, max-age=0<br>
><br>
> There are possible security issues with this that I don't know if we<br>
> should do this or not. Don't know if you remember how ClientSessionCode<br>
> works, it uses a hash of the client session id and the action key<br>
> currently stored in the. When you switch from authentication to<br>
> required actions, the action key changes. Now, if you hit the back<br>
> button on a required action page, it would take you back to an<br>
> authentication screen. The code check would fail because the action<br>
> keys don't match.<br>
><br>
> Do we actually need this action key stuff? Can we just let the flow<br>
> manager put the browser in the correct state? So if an "authenticate"<br>
> url is hit and the flow is on required actions, just redirect to the<br>
> required actions URL. I just worry that this is some sort of security<br>
> hole somehow. Maybe we're better off just reseting and restarting the<br>
> flow entirely.<br>
><br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote></div>