[keycloak-user] Session already invalidated

Amat, Juan (Nokia - US) juan.amat at nokia.com
Tue Mar 14 11:24:45 EDT 2017


> > And please tell me why this would be 'unsafe'?
> Yes. For example scenario like this:
> - You login to the "bank account" application
> - You can see the details of you bank account now
> - You click "Logout". In case, that this will logout you, but won't invalidate the
> session, then anyone who came to the computer after you will see the details
> about your bank account
[JA] 
Hmm? How would you see the details?
If the bank account app stores confidential information related to the authenticated user, 
then it should clean it up before calling HttpServletRequest.logout. And even if it does not
clean it up, it will not magically show up. IOW yes there could be bug but then this another story.

> 
> I personally never saw web application where logout doesn't invalidate
> httpSession as well.
[JA] 
Maybe but this is up to the application to decide what to do. And again wildfly will not do it.

> 
> I can understand some data might be persistent even after logout (eg.
> locale). In this case, you can use separate cookie and separate storage, which
> will be persistent among logouts. 
[JA] 
For me it is up to the application to decide to keep the session or not.

> But I guess that's not related to your usecase?
[JA] 
Correct, we do invalidate the session so this does not concern our use case.
But it may affect other users.

> 
> Another thing is, that in the last mail of the thread you referenced, it's
> mentioned that there is bug in undertow. It will be fixed in undertow 1.4.7.Final.
> So once it's possible to have Wildfly upgraded to this version, it won't be needed
> to have try/catch block anymore.
[JA] 
Can you point me to the undertow ticket? I seem to remember reading some ticket
where they wanted to fix a similar issue but decided against as anyway there
is a still a time window when the session can be invalidated by another thread. 



More information about the keycloak-user mailing list