diff --git a/integration/js/src/main/resources/keycloak.js b/integration/js/src/main/resources/keycloak.js index f826f39b3f..c844a57897 100755 --- a/integration/js/src/main/resources/keycloak.js +++ b/integration/js/src/main/resources/keycloak.js @@ -389,9 +389,9 @@ var Keycloak = function (config) { if (token) { kc.token = token; kc.tokenParsed = JSON.parse(decodeURIComponent(escape(window.atob( token.split('.')[1] )))); - var sessionId = kc.realm + '-' + kc.tokenParsed.sub; + var sessionId = kc.realm + '/' + kc.tokenParsed.sub; if (kc.tokenParsed.session_state) { - sessionId = sessionId + '-' + kc.tokenParsed.session_state; + sessionId = sessionId + '/' + kc.tokenParsed.session_state; } kc.sessionId = sessionId; kc.authenticated = true; diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index 3f40e51815..26fe574654 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -111,12 +111,13 @@ public class AuthenticationManager { CookieHelper.addCookie(KEYCLOAK_IDENTITY_COOKIE, encoded, cookiePath, null, null, maxAge, secureOnly, true); //builder.cookie(new NewCookie(cookieName, encoded, cookiePath, null, null, maxAge, secureOnly));// todo httponly , true); - String sessionCookieValue = realm.getName() + "-" + user.getId(); + String sessionCookieValue = realm.getName() + "/" + user.getId(); if (session != null) { - sessionCookieValue += "-" + session.getId(); + sessionCookieValue += "/" + session.getId(); } // THIS SHOULD NOT BE A HTTPONLY COOKIE! It is used for OpenID Connect Iframe Session support! - CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, sessionCookieValue, cookiePath, null, null, maxAge, secureOnly, false); + // Max age should be set to the max lifespan of the session as it's used to invalidate old-sessions on re-login + CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, sessionCookieValue, cookiePath, null, null, realm.getSsoSessionMaxLifespan(), secureOnly, false); } diff --git a/services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java b/services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java index 9591e6f56d..c44f39d453 100755 --- a/services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java +++ b/services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java @@ -99,6 +99,19 @@ public class OAuthFlows { Response.ResponseBuilder location = Response.status(302).location(redirectUri.build()); Cookie remember = request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_REMEMBER_ME); rememberMe = rememberMe || remember != null; + + Cookie sessionCookie = request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_SESSION_COOKIE); + if (sessionCookie != null) { + String oldSessionId = sessionCookie.getValue().split("/")[2]; + if (!oldSessionId.equals(session.getId())) { + UserSessionModel oldSession = realm.getUserSession(oldSessionId); + if (oldSession != null) { + log.debugv("Removing old user session: session: {0}", oldSessionId); + realm.removeUserSession(oldSession); + } + } + } + // refresh the cookies! authManager.createLoginCookie(realm, accessCode.getUser(), session, uriInfo, rememberMe); if (rememberMe) authManager.createRememberMeCookie(realm, uriInfo);