[keycloak-user] Is the Keycloak JavaScript adapter vulnerable to Session fixation?
Don Reynolds (dreynold)
Don.Reynolds at quest.com
Thu Oct 4 09:49:31 EDT 2018
Hello,
Using the Keycloak JavaScript adapter (keycloak.js) from an HTML5/Angular application, when the login page is displayed, the response header from the "Auth" endpoint includes a "Set-Cookie: AUTH_SESSION_ID=xxx". Upon successfully logging in, it would appear that the value for the "AUTH_SESSION_ID" remains the same as it was prior to the login.
According to the Keycloak documentation, some of the adapters support changing the session id upon login so that the "AUTH_SESSION_ID" is changed upon login, but this does not look like the case for the JavaScript adapter. I also came across https://issues.jboss.org/browse/KEYCLOAK-4820 which describes how some adapters change the session id upon log in, but others do not support it.
Since the JavaScript adapter is not changing the session id upon successful login, it would be my understanding that this would make it vulnerable to Session fixation (https://www.owasp.org/index.php/Session_fixation).
Is my understanding correct?
If so, is there a way to solve this for the JavaScript adapter (keycloak.js)?
If my understanding is not correct, can anyone explain why this would not be considered being vulnerable to session fixation?
Thanks in advance for any advice in this area.
Thanks,
Don
More information about the keycloak-user
mailing list