[keycloak-dev] Rest password can cause cookie not found

Stian Thorgersen stian at redhat.com
Mon Jan 26 08:07:09 EST 2015


Someone reported https://issues.jboss.org/browse/KEYCLOAK-1014. In summary if you click on reset password, close the browser, then click the link in the email to recover password the state cookie won't be set.

Some suggestions on how to solve this:

* Store state variable in non-session cookie (with some sensible expiration 24h?)
* Generate/verify state using HMAC on the server-side instead of using uuid
* Improve error message on client side if state is not correct, basically asking user to re-login - can this be easily implemented in the app itself with the adapter today?


More information about the keycloak-dev mailing list