[keycloak-dev] application session state update

Stian Thorgersen stian at redhat.com
Tue Mar 31 03:33:26 EDT 2015



----- Original Message -----
> From: "Bastian Ike" <bastian.ike at aoe.com>
> To: "Marek Posolda" <mposolda at redhat.com>, "Sebastian Rose" <sebastian.rose at aoe.com>, keycloak-dev at lists.jboss.org
> Sent: Tuesday, 31 March, 2015 9:24:09 AM
> Subject: Re: [keycloak-dev] application session state update
> 
> Hi guys,
> 
> We're connecting Magento with Keycloak, and the SID is regenerated after
> every change of the login status to prevent session fixation attacks where
> attackers might be able to enforce a session id or observe a session id
> prior to authentication and can later access useraccounts by requesting
> private resources using these session ids.
> 
> SID refreshs are a common way to prevent this kind of issues and to ensure
> that no old SID's are leaked and cannot be enforced or predicted.

I don't think this is relevant to this discussion, but in either case that's not an issue in Keycloak. The session id in Keycloak is just a reference to a specific user session and only valid for the lifetime of the session (it's also a UUID so is not predictable). Having the knowledge of a session id doesn't provide an attacker with anything more than say a username, it's just a reference.

> 
> 
> Regards, Bastian
> 
> 
> Von: Marek Posolda < mposolda at redhat.com >
> Datum: Mon, 30 Mar 2015 23:00:03 +0200
> An: Sebastian Rose < sebastian.rose at aoe.com >, " keycloak-dev at lists.jboss.org
> " < keycloak-dev at lists.jboss.org >
> Betreff: Re: [keycloak-dev] application session state update
> 
> On 27.3.2015 17:22, Sebastian Rose wrote:
> 
> 
> 
> 
> 
> Hi everyone,
> 
> 
> 
> The endpoint /auth/realms/<realm>/protocol/openid-connect/access/codes has a
> parameter for the session id of a secured application (adapters use it):
> application_session_state. The Endpoint
> /auth/realms/<realm>/protocol/openid-connect/refresh has not. At least this
> is what i saw within the code. Sorry, if it's there.
> 
> 
> 
> We have integrated our own application a la adapter, using these two url's
> and it's working fine. Our application completes the login via the first
> endpoint and changes it's session id after the successful login. This means
> when a logout event is send to our application, the old session id is used.
> So you're not using servlet API but something completely different? Which
> framework are you using? Just curious about your usecase as in normal
> servlet application the HttpSession ID is same for the whole life of user
> interaction and doesn't need to be changed after authentication (or during
> refresh).
> 
> Marek
> 
> 
> 
> 
> 
> 
> 
> 
> 
> So i'm asking if it makes sense to you to have the same parameter for the
> refresh-url to cover our requirement or to integrate an
> application_session_state update endpoint to add/delete/update
> additional/new session id's.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Best Regrads
> 
> Sebastian
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> keycloak-dev mailing list keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


More information about the keycloak-dev mailing list