Re: [keycloak-dev] User sessions added

Could we not have a separate session state cookie that is not HttpOnly? ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Friday, 9 May, 2014 2:36:09 PM > Subject: Re: [keycloak-dev] User sessions added > > That's what I was saying before. There is no benefit in using Iframes > if your login cookies are HttpOnly. Your set timeout is *already* > happening indirectly via refresh tokens. > > The only other benefit might be in that you'd have to enable CORS for > that "ping" request which might be a pain. > > On 5/9/2014 9:10 AM, Stian Thorgersen wrote: >> What then is the benefit of having this iframe compared to just adding >> something like the following to keycloak.js: >> >> setTimeout(function() { >> var req = new XMLHttpRequest(); >> req.open('GET', >> 'http://localhost:8080/auth/rest/realms/realm/tokens/session-status?session_state=...', >> true); >> req.onreadystatechange = function () { >> if (req.readyState == 4 && req.status == 200) { >> var status = JSON.parse(req.responseText); >> if (!status.active) { >> clearToken(); >> } >> } >> } >> req.send(); >> }, 3000); >> >> >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: keycloak-dev(a)lists.jboss.org >>> Sent: Friday, 9 May, 2014 1:41:02 PM >>> Subject: Re: [keycloak-dev] User sessions added >>> >>> >>> >>> On 5/9/2014 6:59 AM, Stian Thorgersen wrote: >>>> User sessions have been added. In summary when a user logs in a new >>>> session >>>> is created (and persisted in the model). The identity cookie as well as >>>> all tokens/refresh-tokens are associated with a session. When a user logs >>>> out the session is invalidated (removed from the model), which >>>> invalidates >>>> the identity cookie and all tokens/refresh-tokens. >>>> >>>> There's two related issues left to do: >>>> >>>> * Make sure adapters only log out a specific session (if LoginAction >>>> contains a session id) >>>> * Allow a user to log out all sessions through the account management >>>> console >>>> >>>> Also, we may want some mechanism to retrieve the status of a session from >>>> applications. This could be a REST endpoint, or the crazy iframe >>>> technique >>>> from OpenID Connect. I think this can be postponed to after 1.0 though. >>>> >>> >>> The crazy IFrame techique would require this REST "ping". At least for >>> us, as our cookies would be http-only. >>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com >