[keycloak-user] Suspected SPAM - Re: Session already invalidated
Amat, Juan (Nokia - US)
juan.amat at nokia.com
Mon Mar 13 12:56:51 EDT 2017
Do not get me wrong, I will add the try/catch in our code as anyway we also invalidate the session so this is not a problem for us.
I am just curious why it was implemented this way in Keycloak.
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-
> bounces at lists.jboss.org] On Behalf Of Amat, Juan (Nokia - US)
> Sent: Monday, March 13, 2017 7:28 AM
> To: Marek Posolda <mposolda at redhat.com>; keycloak-user at lists.jboss.org
> Subject: Suspected SPAM - Re: [keycloak-user] Session already invalidated
>
> Actually I do not think that this is the case with Wildfly (or we would have this
> 'Session already invalidated' error and we do not see it).
> True, there is a flag in undertow that you can set to invalidate the session during
> logout.
> But again I do not think that this is used by default in Wildfly.
>
> And please tell me why this would be 'unsafe'?
>
> > -----Original Message-----
> > From: Marek Posolda [mailto:mposolda at redhat.com]
> > Sent: Monday, March 13, 2017 2:04 AM
> > To: Amat, Juan (Nokia - US) <juan.amat at nokia.com>; keycloak-
> > user at lists.jboss.org
> > Subject: Re: [keycloak-user] Session already invalidated
> >
> > It looks like quite unsafe to logout and not invalidate session at the same time.
> > And AFAIK Wildfly is also invalidates HttpSession automatically during
> > logout for their builtin authentication mechanisms (when Keycloak integration
> is disabled).
> > You may use something else then HttpSession if you really have the
> > usecase when some session data shouldn't be invalidated at logout (eg.
> > some custom storage backed by custom session cookie).
> >
> > Marek
> >
> > On 11/03/17 21:32, Amat, Juan (Nokia - US) wrote:
> > > Hello,
> > >
> > > I read this thread:
> > > http://lists.jboss.org/pipermail/keycloak-user/2017-
> > February/009550.html
> > > I am hitting the same issue and I can use the same workaround.
> > >
> > > But I would really like to know why Keycloak calls
> > > session.invalidate when
> > processing the logout.
> > > 'logout' and 'invalidate' are 2 different operations and in theory
> > > you may want
> > to logout while still keeping the session alive.
> > >
> > > Thank you.
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list