[keycloak-dev] Rest password can cause cookie not found

[Michael Gerber]

> Am 26.01.2015 um 16:54 schrieb Bill Burke <bburke at redhat.com>:
> 
> 
> 
>> On 1/26/2015 8:45 AM, Stian Thorgersen wrote:
>> 
>> 
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Monday, January 26, 2015 2:27:30 PM
>>> Subject: Re: [keycloak-dev] Rest password can cause cookie not found
>>> 
>>> Wouldn't this work?
>>> 
>>> 1) store "state" of state cookie in user session.
>>> 2) embed user session and state of state cookie in URL
>>> 
>>> Of course this screws up your "shorter URL" crusade.
>> 
>> I'm not following - the problem isn't remembering the state variable in Keycloak, that's already sorted as we already store all the query params passed by the client in the client session (state, redirect_uri, etc). The problem is storing it on the adapter side.
> 
> I think I get it...
> 
> 
> 1. Send email
> 2. Close browser
> 3. Open browser
> 4. Click email link
> 5. Reset password
> 6. Redirect back to app
> 7. App barfs because of state cookie
> 
> 
> Persistent state cookie sounds like cleanest and simplest solution. I 
> just worry we'll introduce different bugs, or if we're opening up some 
> kind of security hole.  Maybe I'm just paranoid.
That doesn't work if the user uses two different browsers. This is the case in a lot of companies (at least in Switzerland :)) where the users are forced to use ie (default) but rather work with firefox. 
> 
> Another possibility:
> 
> * Maybe set a auth server session cookie.  If that cookie isn't set, 
> just redirect to a auth server page that says "Password was reset" and 
> don't redirect back to the application.
> 
> 
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev