[keycloak-user] Session already invalidated

Marek Posolda mposolda at redhat.com
Tue Mar 14 15:55:40 EDT 2017 

On 14/03/17 16:24, Amat, Juan (Nokia - US) wrote:
>>> And please tell me why this would be 'unsafe'?
>> Yes. For example scenario like this:
>> - You login to the "bank account" application
>> - You can see the details of you bank account now
>> - You click "Logout". In case, that this will logout you, but won't invalidate the
>> session, then anyone who came to the computer after you will see the details
>> about your bank account
> [JA]
> Hmm? How would you see the details?
> If the bank account app stores confidential information related to the authenticated user,
> then it should clean it up before calling HttpServletRequest.logout. And even if it does not
> clean it up, it will not magically show up. IOW yes there could be bug but then this another story.
Yes, exactly. Without not automatically invalidate httpSession, 
application needs to care of the cleanup data manually. And yes, there 
could be bug, which could potentially mean showing sensitive data to 
someone else. That's why I think it's quite unsafe and error-prone 
practice to not expire httpSession automatically at logout.

Feel free to create JIRA for invalidateSessionOnLogout flag. But TBH, I 
think that it will have quite a low priority unless more people asks for 
this.

Marek
>
>> I personally never saw web application where logout doesn't invalidate
>> httpSession as well.
> [JA]
> Maybe but this is up to the application to decide what to do. And again wildfly will not do it.
>
>> I can understand some data might be persistent even after logout (eg.
>> locale). In this case, you can use separate cookie and separate storage, which
>> will be persistent among logouts.
> [JA]
> For me it is up to the application to decide to keep the session or not.
>
>> But I guess that's not related to your usecase?
> [JA]
> Correct, we do invalidate the session so this does not concern our use case.
> But it may affect other users.
>
>> Another thing is, that in the last mail of the thread you referenced, it's
>> mentioned that there is bug in undertow. It will be fixed in undertow 1.4.7.Final.
>> So once it's possible to have Wildfly upgraded to this version, it won't be needed
>> to have try/catch block anymore.
> [JA]
> Can you point me to the undertow ticket? I seem to remember reading some ticket
> where they wanted to fix a similar issue but decided against as anyway there
> is a still a time window when the session can be invalidated by another thread.

More information about the keycloak-user mailing list