[keycloak-dev] Cookies & RememberMe clarification
Bill Burke
bburke at redhat.com
Tue Sep 16 10:31:48 EDT 2014
On 9/16/2014 10:25 AM, Marek Posolda wrote:
> On 16.9.2014 16:15, Bill Burke wrote:
>> There are multiple cookies that have different purposes. The remember
>> me cookie might be a legacy thing that we needed prior to having a user
>> session. We needed a way to propagate that the user clicked "remember
>> me" if there was an account action that needed to take place or if OTP
>> was enabled. This cookie may not be needed anymore because UserSessions
>> are so core to what we're doing.
> yes, looks like it's purely legacy as it's not used for anything now. We
> can either remove this cookie completely (and all the code related to
> it) or use it for 'prefill' the login form as Stian proposed.
>>
>> We have two keycloak identity cookies. One is persistent, secure, and
>> HttpOnly and contains a digitally signed access token. This is used to
>> authenticate a user. The other identity cookie is session only,
>> non-persistent, can be propagated from Javascript (not HttpOnly) and is
>> used solely with the Keycloak.js library to determine if the user is
>> still logged in. (the iframe stuff).
> yep, I know. What I am proposing is increase lifespan of identityToken
> attached to KEYCLOAK_IDENTITY
> (AuthenticationManager.createIdentityToken) to ssoSessionMaxLifespan
> instead of ssoSessionIdleTimeout. As currently it could happen that you
> are logged-out even if your UserSession is still valid (example 1 from
> my first mail).
>
Again, probably a legacy thing why it is implemented the way its
implemented. Cookie authentication just needs to check the session to
see if has been idle too long.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list