[keycloak-user] Session already invalidated
Marek Posolda
mposolda at redhat.com
Tue Mar 14 03:50:49 EDT 2017
On 13/03/17 15:27, Amat, Juan (Nokia - US) wrote:
> Actually I do not think that this is the case with Wildfly (or we would have this 'Session already invalidated' error and we do not see it).
> True, there is a flag in undertow that you can set to invalidate the session during logout.
> But again I do not think that this is used by default in Wildfly.
>
> And please tell me why this would be 'unsafe'?
Yes. For example scenario like this:
- You login to the "bank account" application
- You can see the details of you bank account now
- You click "Logout". In case, that this will logout you, but won't
invalidate the session, then anyone who came to the computer after you
will see the details about your bank account
I personally never saw web application where logout doesn't invalidate
httpSession as well.
I can understand some data might be persistent even after logout (eg.
locale). In this case, you can use separate cookie and separate storage,
which will be persistent among logouts. BTV. Keycloak also has support
for offline tokens, which allows to have the token inside application
even if user is logged-out and do some actions on behalf of user (eg.
some nightly periodic tasks etc). But I guess that's not related to your
usecase?
Another thing is, that in the last mail of the thread you referenced,
it's mentioned that there is bug in undertow. It will be fixed in
undertow 1.4.7.Final. So once it's possible to have Wildfly upgraded to
this version, it won't be needed to have try/catch block anymore.
Marek
>
>> -----Original Message-----
>> From: Marek Posolda [mailto:mposolda at redhat.com]
>> Sent: Monday, March 13, 2017 2:04 AM
>> To: Amat, Juan (Nokia - US) <juan.amat at nokia.com>; keycloak-
>> user at lists.jboss.org
>> Subject: Re: [keycloak-user] Session already invalidated
>>
>> It looks like quite unsafe to logout and not invalidate session at the same time.
>> And AFAIK Wildfly is also invalidates HttpSession automatically during logout for
>> their builtin authentication mechanisms (when Keycloak integration is disabled).
>> You may use something else then HttpSession if you really have the usecase
>> when some session data shouldn't be invalidated at logout (eg. some custom
>> storage backed by custom session cookie).
>>
>> Marek
>>
>> On 11/03/17 21:32, Amat, Juan (Nokia - US) wrote:
>>> Hello,
>>>
>>> I read this thread: http://lists.jboss.org/pipermail/keycloak-user/2017-
>> February/009550.html
>>> I am hitting the same issue and I can use the same workaround.
>>>
>>> But I would really like to know why Keycloak calls session.invalidate when
>> processing the logout.
>>> 'logout' and 'invalidate' are 2 different operations and in theory you may want
>> to logout while still keeping the session alive.
>>> Thank you.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list