[keycloak-user] Session already invalidated

Amat, Juan (Nokia - US) juan.amat at nokia.com
Mon Mar 13 10:27:56 EDT 2017


Actually I do not think that this is the case with Wildfly (or we would have this 'Session already invalidated' error and we do not see it).
True, there is a flag in undertow that you can set to invalidate the session during logout.
But again I do not think that this is used by default in Wildfly.

And please tell me why this would be 'unsafe'?

> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Monday, March 13, 2017 2:04 AM
> To: Amat, Juan (Nokia - US) <juan.amat at nokia.com>; keycloak-
> user at lists.jboss.org
> Subject: Re: [keycloak-user] Session already invalidated
> 
> It looks like quite unsafe to logout and not invalidate session at the same time.
> And AFAIK Wildfly is also invalidates HttpSession automatically during logout for
> their builtin authentication mechanisms (when Keycloak integration is disabled).
> You may use something else then HttpSession if you really have the usecase
> when some session data shouldn't be invalidated at logout (eg. some custom
> storage backed by custom session cookie).
> 
> Marek
> 
> On 11/03/17 21:32, Amat, Juan (Nokia - US) wrote:
> > Hello,
> >
> > I read this thread: http://lists.jboss.org/pipermail/keycloak-user/2017-
> February/009550.html
> > I am hitting the same issue and I can use the same workaround.
> >
> > But I would really like to know why Keycloak calls session.invalidate when
> processing the logout.
> > 'logout' and 'invalidate' are 2 different operations and in theory you may want
> to logout while still keeping the session alive.
> >
> > Thank you.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 




More information about the keycloak-user mailing list