[keycloak-dev] browser refresh and back button issues

[Bill Burke]

I've been looking into a couple of "browser refresh" bugs.  Currently, 
if an HTTP request to the auth flow spi did not match the state of the 
client session you would

a) have the flow reset if you were currently in the process of 
authenticating
b) Show an error screen if you aren't currently authenticating (i.e. 
performing required actions)

Now I remember why I did it this way.  It is impossible to detect the 
difference between a browser refresh and somebody hitting the back 
button and resubmitting a previous form.  Hitting "browser refresh" will 
resubmit any previous form POST.  So, you have no idea if the user is 
refreshing the current page or resubmitting after a browser back button.

So, I think it is best to keep things the way it is now.  Thoughts?


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com