Re: [keycloak-user] Suspected SPAM - Re: Session already invalidated
Do not get me wrong, I will add the try/catch in our code as anyway we also invalidate the
session so this is not a problem for us.
I am just curious why it was implemented this way in Keycloak.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-
bounces(a)lists.jboss.org] On Behalf Of Amat, Juan (Nokia - US)
Sent: Monday, March 13, 2017 7:28 AM
To: Marek Posolda <mposolda(a)redhat.com>; keycloak-user(a)lists.jboss.org
Subject: Suspected SPAM - Re: [keycloak-user] Session already invalidated
Actually I do not think that this is the case with Wildfly (or we would have this
'Session already invalidated' error and we do not see it).
True, there is a flag in undertow that you can set to invalidate the session during
logout.
But again I do not think that this is used by default in Wildfly.
And please tell me why this would be 'unsafe'?
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda@redhat.com]
> Sent: Monday, March 13, 2017 2:04 AM
> To: Amat, Juan (Nokia - US) <juan.amat(a)nokia.com>; keycloak-
> user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Session already invalidated
>
> It looks like quite unsafe to logout and not invalidate session at the same time.
> And AFAIK Wildfly is also invalidates HttpSession automatically during
> logout for their builtin authentication mechanisms (when Keycloak integration
is disabled).
> You may use something else then HttpSession if you really have the
> usecase when some session data shouldn't be invalidated at logout (eg.
> some custom storage backed by custom session cookie).
>
> Marek
>
> On 11/03/17 21:32, Amat, Juan (Nokia - US) wrote:
> > Hello,
> >
> > I read this thread:
> > http://lists.jboss.org/pipermail/keycloak-user/2017-
> February/009550.html
> > I am hitting the same issue and I can use the same workaround.
> >
> > But I would really like to know why Keycloak calls
> > session.invalidate when
> processing the logout.
> > 'logout' and 'invalidate' are 2 different operations and in
theory
> > you may want
> to logout while still keeping the session alive.
> >
> > Thank you.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user