Merge pull request #487 from stianst/master

KEYCLOAK-501 Check if old session for browser exists and delete before c...
This commit is contained in:
Stian Thorgersen 2014-06-27 13:58:23 +01:00
commit 436f5f6229
3 changed files with 19 additions and 5 deletions

View file

@ -389,9 +389,9 @@ var Keycloak = function (config) {
if (token) {
kc.token = token;
kc.tokenParsed = JSON.parse(decodeURIComponent(escape(window.atob( token.split('.')[1] ))));
var sessionId = kc.realm + '-' + kc.tokenParsed.sub;
var sessionId = kc.realm + '/' + kc.tokenParsed.sub;
if (kc.tokenParsed.session_state) {
sessionId = sessionId + '-' + kc.tokenParsed.session_state;
sessionId = sessionId + '/' + kc.tokenParsed.session_state;
}
kc.sessionId = sessionId;
kc.authenticated = true;

View file

@ -111,12 +111,13 @@ public class AuthenticationManager {
CookieHelper.addCookie(KEYCLOAK_IDENTITY_COOKIE, encoded, cookiePath, null, null, maxAge, secureOnly, true);
//builder.cookie(new NewCookie(cookieName, encoded, cookiePath, null, null, maxAge, secureOnly));// todo httponly , true);
String sessionCookieValue = realm.getName() + "-" + user.getId();
String sessionCookieValue = realm.getName() + "/" + user.getId();
if (session != null) {
sessionCookieValue += "-" + session.getId();
sessionCookieValue += "/" + session.getId();
}
// THIS SHOULD NOT BE A HTTPONLY COOKIE! It is used for OpenID Connect Iframe Session support!
CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, sessionCookieValue, cookiePath, null, null, maxAge, secureOnly, false);
// Max age should be set to the max lifespan of the session as it's used to invalidate old-sessions on re-login
CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, sessionCookieValue, cookiePath, null, null, realm.getSsoSessionMaxLifespan(), secureOnly, false);
}

View file

@ -99,6 +99,19 @@ public class OAuthFlows {
Response.ResponseBuilder location = Response.status(302).location(redirectUri.build());
Cookie remember = request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_REMEMBER_ME);
rememberMe = rememberMe || remember != null;
Cookie sessionCookie = request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_SESSION_COOKIE);
if (sessionCookie != null) {
String oldSessionId = sessionCookie.getValue().split("/")[2];
if (!oldSessionId.equals(session.getId())) {
UserSessionModel oldSession = realm.getUserSession(oldSessionId);
if (oldSession != null) {
log.debugv("Removing old user session: session: {0}", oldSessionId);
realm.removeUserSession(oldSession);
}
}
}
// refresh the cookies!
authManager.createLoginCookie(realm, accessCode.getUser(), session, uriInfo, rememberMe);
if (rememberMe) authManager.createRememberMeCookie(realm, uriInfo);