Could we not have a separate session state cookie that is not HttpOnly?
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 9 May, 2014 2:36:09 PM
Subject: Re: [keycloak-dev] User sessions added
That's what I was saying before. There is no benefit in using Iframes
if your login cookies are HttpOnly. Your set timeout is *already*
happening indirectly via refresh tokens.
The only other benefit might be in that you'd have to enable CORS for
that "ping" request which might be a pain.
On 5/9/2014 9:10 AM, Stian Thorgersen wrote:
> What then is the benefit of having this iframe compared to just adding
> something like the following to keycloak.js:
>
> setTimeout(function() {
> var req = new XMLHttpRequest();
> req.open('GET',
>
'http://localhost:8080/auth/rest/realms/realm/tokens/session-status?session_state=...',
> true);
> req.onreadystatechange = function () {
> if (req.readyState == 4 && req.status == 200) {
> var status = JSON.parse(req.responseText);
> if (!status.active) {
> clearToken();
> }
> }
> }
> req.send();
> }, 3000);
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, 9 May, 2014 1:41:02 PM
>> Subject: Re: [keycloak-dev] User sessions added
>>
>>
>>
>> On 5/9/2014 6:59 AM, Stian Thorgersen wrote:
>>> User sessions have been added. In summary when a user logs in a new
>>> session
>>> is created (and persisted in the model). The identity cookie as well as
>>> all tokens/refresh-tokens are associated with a session. When a user logs
>>> out the session is invalidated (removed from the model), which
>>> invalidates
>>> the identity cookie and all tokens/refresh-tokens.
>>>
>>> There's two related issues left to do:
>>>
>>> * Make sure adapters only log out a specific session (if LoginAction
>>> contains a session id)
>>> * Allow a user to log out all sessions through the account management
>>> console
>>>
>>> Also, we may want some mechanism to retrieve the status of a session from
>>> applications. This could be a REST endpoint, or the crazy iframe
>>> technique
>>> from OpenID Connect. I think this can be postponed to after 1.0 though.
>>>
>>
>> The crazy IFrame techique would require this REST "ping". At least
for
>> us, as our cookies would be http-only.
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com