----- Original Message -----
From: "Bastian Ike" <bastian.ike(a)aoe.com>
To: "Marek Posolda" <mposolda(a)redhat.com>, "Sebastian Rose"
<sebastian.rose(a)aoe.com>, keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 31 March, 2015 9:24:09 AM
Subject: Re: [keycloak-dev] application session state update
Hi guys,
We're connecting Magento with Keycloak, and the SID is regenerated after
every change of the login status to prevent session fixation attacks where
attackers might be able to enforce a session id or observe a session id
prior to authentication and can later access useraccounts by requesting
private resources using these session ids.
SID refreshs are a common way to prevent this kind of issues and to ensure
that no old SID's are leaked and cannot be enforced or predicted.
I don't think this is relevant to this discussion, but in either case that's not
an issue in Keycloak. The session id in Keycloak is just a reference to a specific user
session and only valid for the lifetime of the session (it's also a UUID so is not
predictable). Having the knowledge of a session id doesn't provide an attacker with
anything more than say a username, it's just a reference.
Regards, Bastian
Von: Marek Posolda < mposolda(a)redhat.com >
Datum: Mon, 30 Mar 2015 23:00:03 +0200
An: Sebastian Rose < sebastian.rose(a)aoe.com >, " keycloak-dev(a)lists.jboss.org
" < keycloak-dev(a)lists.jboss.org >
Betreff: Re: [keycloak-dev] application session state update
On 27.3.2015 17:22, Sebastian Rose wrote:
Hi everyone,
The endpoint /auth/realms/<realm>/protocol/openid-connect/access/codes has a
parameter for the session id of a secured application (adapters use it):
application_session_state. The Endpoint
/auth/realms/<realm>/protocol/openid-connect/refresh has not. At least this
is what i saw within the code. Sorry, if it's there.
We have integrated our own application a la adapter, using these two url's
and it's working fine. Our application completes the login via the first
endpoint and changes it's session id after the successful login. This means
when a logout event is send to our application, the old session id is used.
So you're not using servlet API but something completely different? Which
framework are you using? Just curious about your usecase as in normal
servlet application the HttpSession ID is same for the whole life of user
interaction and doesn't need to be changed after authentication (or during
refresh).
Marek
So i'm asking if it makes sense to you to have the same parameter for the
refresh-url to cover our requirement or to integrate an
application_session_state update endpoint to add/delete/update
additional/new session id's.
Best Regrads
Sebastian
_______________________________________________
keycloak-dev mailing list keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev