----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Monday, January 26, 2015 2:27:30 PM
Subject: Re: [keycloak-dev] Rest password can cause cookie not found
Wouldn't this work?
1) store "state" of state cookie in user session.
2) embed user session and state of state cookie in URL
Of course this screws up your "shorter URL" crusade.
I'm not following - the problem isn't remembering the state variable in Keycloak,
that's already sorted as we already store all the query params passed by the client in
the client session (state, redirect_uri, etc). The problem is storing it on the adapter
side.
On 1/26/2015 8:07 AM, Stian Thorgersen wrote:
> Someone reported
https://issues.jboss.org/browse/KEYCLOAK-1014. In summary
> if you click on reset password, close the browser, then click the link in
> the email to recover password the state cookie won't be set.
>
> Some suggestions on how to solve this:
>
> * Store state variable in non-session cookie (with some sensible expiration
> 24h?)
> * Generate/verify state using HMAC on the server-side instead of using uuid
> * Improve error message on client side if state is not correct, basically
> asking user to re-login - can this be easily implemented in the app itself
> with the adapter today?
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev