[keycloak-dev] timeouts

Bill Burke bburke at redhat.com
Thu Jul 23 11:16:23 EDT 2015

Was thinking about this more and I think it might be ok to have a 
session cookie that has all the initial information needed to restore 
the client session and restart the login without having to redirect back 
to the client.  The session cookie would match up against the code query 
param that is passed around.  This would probably be good enough 
protection.  Only thing an attacker would be able to do is restart the 

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list