Hi guys,
We're connecting Magento with Keycloak, and the SID is regenerated after every change
of the login status to prevent session fixation attacks where attackers might be able to
enforce a session id or observe a session id prior to authentication and can later access
useraccounts by requesting private resources using these session ids.
SID refreshs are a common way to prevent this kind of issues and to ensure that no old
SID's are leaked and cannot be enforced or predicted.
Regards, Bastian
Von: Marek Posolda <mposolda@redhat.com<mailto:mposolda@redhat.com>>
Datum: Mon, 30 Mar 2015 23:00:03 +0200
An: Sebastian Rose <sebastian.rose@aoe.com<mailto:sebastian.rose@aoe.com>>,
"keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>"
<keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>>
Betreff: Re: [keycloak-dev] application session state update
On 27.3.2015 17:22, Sebastian Rose wrote:
Hi everyone,
The endpoint /auth/realms/<realm>/protocol/openid-connect/access/codes has a
parameter for the session id of a secured application (adapters use it):
application_session_state. The Endpoint
/auth/realms/<realm>/protocol/openid-connect/refresh has not. At least this is what
i saw within the code. Sorry, if it's there.
We have integrated our own application a la adapter, using these two url's and
it's working fine. Our application completes the login via the first endpoint and
changes it's session id after the successful login. This means when a logout event is
send to our application, the old session id is used.
So you're not using servlet API but something completely different? Which framework
are you using? Just curious about your usecase as in normal servlet application the
HttpSession ID is same for the whole life of user interaction and doesn't need to be
changed after authentication (or during refresh).
Marek
So i'm asking if it makes sense to you to have the same parameter for the refresh-url
to cover our requirement or to integrate an application_session_state update endpoint to
add/delete/update additional/new session id's.
Best Regrads
Sebastian
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-dev