[keycloak-user] Session already invalidated
Marek Posolda
mposolda at redhat.com
Mon Mar 13 05:04:18 EDT 2017
It looks like quite unsafe to logout and not invalidate session at the
same time. And AFAIK Wildfly is also invalidates HttpSession
automatically during logout for their builtin authentication mechanisms
(when Keycloak integration is disabled). You may use something else then
HttpSession if you really have the usecase when some session data
shouldn't be invalidated at logout (eg. some custom storage backed by
custom session cookie).
Marek
On 11/03/17 21:32, Amat, Juan (Nokia - US) wrote:
> Hello,
>
> I read this thread: http://lists.jboss.org/pipermail/keycloak-user/2017-February/009550.html
> I am hitting the same issue and I can use the same workaround.
>
> But I would really like to know why Keycloak calls session.invalidate when processing the logout.
> 'logout' and 'invalidate' are 2 different operations and in theory you may want to logout while still keeping the session alive.
>
> Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list