[keycloak-dev] Rest password can cause cookie not found

Bill Burke bburke at redhat.com
Mon Jan 26 12:36:46 EST 2015



On 1/26/2015 12:12 PM, Michael Gerber wrote:
>
>> Am 26.01.2015 um 16:54 schrieb Bill Burke <bburke at redhat.com>:
>>
>>
>>
>>> On 1/26/2015 8:45 AM, Stian Thorgersen wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: keycloak-dev at lists.jboss.org
>>>> Sent: Monday, January 26, 2015 2:27:30 PM
>>>> Subject: Re: [keycloak-dev] Rest password can cause cookie not found
>>>>
>>>> Wouldn't this work?
>>>>
>>>> 1) store "state" of state cookie in user session.
>>>> 2) embed user session and state of state cookie in URL
>>>>
>>>> Of course this screws up your "shorter URL" crusade.
>>>
>>> I'm not following - the problem isn't remembering the state variable in Keycloak, that's already sorted as we already store all the query params passed by the client in the client session (state, redirect_uri, etc). The problem is storing it on the adapter side.
>>
>> I think I get it...
>>
>>
>> 1. Send email
>> 2. Close browser
>> 3. Open browser
>> 4. Click email link
>> 5. Reset password
>> 6. Redirect back to app
>> 7. App barfs because of state cookie
>>
>>
>> Persistent state cookie sounds like cleanest and simplest solution. I
>> just worry we'll introduce different bugs, or if we're opening up some
>> kind of security hole.  Maybe I'm just paranoid.
> That doesn't work if the user uses two different browsers. This is the case in a lot of companies (at least in Switzerland :)) where the users are forced to use ie (default) but rather work with firefox.

Unless we extend the protocol, or don't redirect from the email, I don't 
see a fix.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list